Update module github.com/alecthomas/chroma/v2 to v2.18.0 (forgejo) (#7890)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/7890
Reviewed-by: Gusted <gusted@noreply.codeberg.org>
Co-authored-by: Renovate Bot <forgejo-renovate-action@forgejo.org>
Co-committed-by: Renovate Bot <forgejo-renovate-action@forgejo.org>

.air.toml

@@ -2,9 +2,10 @@ root = "."
 tmp_dir = ".air"
 
 [build]
+pre_cmd = ["killall -9 gitea 2>/dev/null || true"] # kill off potential zombie processes from previous runs
 cmd = "make --no-print-directory backend"
 bin = "gitea"
-delay = 1000
+delay = 2000
 include_ext = ["go", "tmpl"]
 include_file = ["main.go"]
 include_dir = ["cmd", "models", "modules", "options", "routers", "services"]
@@ -15,8 +16,14 @@ exclude_dir = [
   "modules/avatar/testdata",
   "modules/git/tests",
   "modules/migration/file_format_testdata",
+  "modules/markup/tests/repo/repo1_filepreview",
   "routers/private/tests",
   "services/gitdiff/testdata",
+  "services/migrations/testdata",
+  "services/webhook/sourcehut/testdata",
 ]
 exclude_regex = ["_test.go$", "_gen.go$"]
 stop_on_error = true
+
+[log]
+main_only = true

.changelog.yml

@@ -1,57 +0,0 @@
-# The full repository name
-repo: go-gitea/gitea
-
-# Service type (gitea or github)
-service: github
-
-# Base URL for Gitea instance if using gitea service type (optional)
-# Default: https://gitea.com
-base-url:
-
-# Changelog groups and which labeled PRs to add to each group
-groups:
-  -
-    name: BREAKING
-    labels:
-      - pr/breaking
-  -
-    name: SECURITY
-    labels:
-      - topic/security
-  -
-    name: FEATURES
-    labels:
-      - type/feature
-  -
-    name: API
-    labels:
-      - modifies/api
-  -
-    name: ENHANCEMENTS
-    labels:
-      - type/enhancement
-      - type/refactoring
-      - topic/ui
-  -
-    name: BUGFIXES
-    labels:
-      - type/bug
-  -
-    name: TESTING
-    labels:
-      - type/testing
-  -
-    name: BUILD
-    labels:
-      - topic/build
-      - topic/code-linting
-  -
-    name: DOCS
-    labels:
-      - type/docs
-  -
-    name: MISC
-    default: true
-
-# regex indicating which labels to skip for the changelog
-skip-labels: skip-changelog|backport\/.+

.deadcode-out

@@ -1,345 +1,234 @@
-package "code.gitea.io/gitea/cmd"
-	func NoMainListener
+forgejo.org/cmd
+	NoMainListener
 
-package "code.gitea.io/gitea/cmd/forgejo"
-	func ContextSetNoInit
-	func ContextSetNoExit
-	func ContextSetStderr
-	func ContextGetStderr
-	func ContextSetStdout
-	func ContextSetStdin
+forgejo.org/cmd/forgejo
+	ContextSetNoInit
+	ContextSetNoExit
+	ContextSetStderr
+	ContextGetStderr
+	ContextSetStdout
+	ContextSetStdin
 
-package "code.gitea.io/gitea/models"
-	func IsErrUpdateTaskNotExist
-	func (ErrUpdateTaskNotExist).Error
-	func (ErrUpdateTaskNotExist).Unwrap
-	func IsErrSHANotFound
-	func IsErrMergeDivergingFastForwardOnly
-	func GetYamlFixturesAccess
+forgejo.org/models
+	IsErrSHANotFound
+	IsErrMergeDivergingFastForwardOnly
 
-package "code.gitea.io/gitea/models/actions"
-	func (ScheduleList).GetUserIDs
-	func (ScheduleList).GetRepoIDs
-	func (ScheduleList).LoadTriggerUser
-	func (ScheduleList).LoadRepos
-	func GetVariableByID
+forgejo.org/models/auth
+	WebAuthnCredentials
 
-package "code.gitea.io/gitea/models/asymkey"
-	func (ErrGPGKeyAccessDenied).Error
-	func (ErrGPGKeyAccessDenied).Unwrap
-	func HasDeployKey
+forgejo.org/models/db
+	TruncateBeans
+	InTransaction
+	DumpTables
 
-package "code.gitea.io/gitea/models/auth"
-	func GetSourceByName
-	func GetWebAuthnCredentialByID
-	func WebAuthnCredentials
+forgejo.org/models/dbfs
+	file.renameTo
+	Create
+	Rename
 
-package "code.gitea.io/gitea/models/db"
-	func TruncateBeans
-	func InTransaction
-	func DumpTables
+forgejo.org/models/forgefed
+	GetFederationHost
 
-package "code.gitea.io/gitea/models/dbfs"
-	func (*file).renameTo
-	func Create
-	func Rename
+forgejo.org/models/forgejo/semver
+	GetVersion
+	SetVersionString
+	SetVersion
 
-package "code.gitea.io/gitea/models/forgejo/semver"
-	func GetVersion
-	func SetVersionString
-	func SetVersion
+forgejo.org/models/git
+	RemoveDeletedBranchByID
 
-package "code.gitea.io/gitea/models/git"
-	func RemoveDeletedBranchByID
+forgejo.org/models/issues
+	IsErrUnknownDependencyType
+	IsErrIssueWasClosed
 
-package "code.gitea.io/gitea/models/issues"
-	func IsErrUnknownDependencyType
-	func (ErrNewIssueInsert).Error
-	func IsErrIssueWasClosed
-	func ChangeMilestoneStatus
+forgejo.org/models/organization
+	SearchMembersOptions.ToConds
 
-package "code.gitea.io/gitea/models/migrations/base"
-	func removeAllWithRetry
-	func newXORMEngine
-	func deleteDB
-	func PrepareTestEnv
-	func MainTest
+forgejo.org/models/perm/access
+	GetRepoWriters
 
-package "code.gitea.io/gitea/models/organization"
-	func UpdateTeamUnits
-	func (SearchMembersOptions).ToConds
-	func UsersInTeamsCount
+forgejo.org/models/repo
+	WatchRepoMode
 
-package "code.gitea.io/gitea/models/perm/access"
-	func GetRepoWriters
+forgejo.org/models/user
+	IsErrExternalLoginUserAlreadyExist
+	IsErrExternalLoginUserNotExist
+	NewFederatedUser
+	IsErrUserSettingIsNotExist
+	GetUserAllSettings
+	DeleteUserSetting
 
-package "code.gitea.io/gitea/models/project"
-	func UpdateBoardSorting
-	func ChangeProjectStatus
+forgejo.org/modules/activitypub
+	NewContext
+	Context.APClientFactory
 
-package "code.gitea.io/gitea/models/repo"
-	func DeleteAttachmentsByIssue
-	func (*releaseSorter).Len
-	func (*releaseSorter).Less
-	func (*releaseSorter).Swap
-	func SortReleases
-	func FindReposMapByIDs
-	func (SearchOrderBy).String
-	func IsErrTopicNotExist
-	func (ErrTopicNotExist).Error
-	func (ErrTopicNotExist).Unwrap
-	func GetTopicByName
-	func WatchRepoMode
+forgejo.org/modules/assetfs
+	Bindata
 
-package "code.gitea.io/gitea/models/unittest"
-	func CheckConsistencyFor
-	func checkForConsistency
-	func GetXORMEngine
-	func OverrideFixtures
-	func InitFixtures
-	func LoadFixtures
-	func Copy
-	func CopyDir
-	func NewMockWebServer
-	func NormalizedFullPath
-	func FixturesDir
-	func fatalTestError
-	func InitSettings
-	func MainTest
-	func CreateTestEngine
-	func PrepareTestDatabase
-	func PrepareTestEnv
-	func Cond
-	func OrderBy
-	func LoadBeanIfExists
-	func BeanExists
-	func AssertExistsAndLoadBean
-	func GetCount
-	func AssertNotExistsBean
-	func AssertExistsIf
-	func AssertSuccessfulInsert
-	func AssertCount
-	func AssertInt64InRange
+forgejo.org/modules/auth/password/hash
+	DummyHasher.HashWithSaltBytes
+	NewDummyHasher
 
-package "code.gitea.io/gitea/models/user"
-	func IsErrPrimaryEmailCannotDelete
-	func (ErrUserInactive).Error
-	func (ErrUserInactive).Unwrap
-	func IsErrExternalLoginUserAlreadyExist
-	func IsErrExternalLoginUserNotExist
-	func IsErrUserSettingIsNotExist
-	func GetUserAllSettings
-	func DeleteUserSetting
-	func GetUserEmailsByNames
+forgejo.org/modules/auth/password/pwn
+	WithHTTP
 
-package "code.gitea.io/gitea/modules/activitypub"
-	func CurrentTime
-	func containsRequiredHTTPHeaders
-	func NewClient
-	func (*Client).NewRequest
-	func (*Client).Post
-	func GetPrivateKey
+forgejo.org/modules/base
+	SetupGiteaRoot
 
-package "code.gitea.io/gitea/modules/assetfs"
-	func Bindata
+forgejo.org/modules/cache
+	GetInt
+	WithNoCacheContext
+	RemoveContextData
 
-package "code.gitea.io/gitea/modules/auth/password/hash"
-	func (*DummyHasher).HashWithSaltBytes
-	func NewDummyHasher
+forgejo.org/modules/emoji
+	ReplaceCodes
 
-package "code.gitea.io/gitea/modules/auth/password/pwn"
-	func WithHTTP
+forgejo.org/modules/eventsource
+	Event.String
 
-package "code.gitea.io/gitea/modules/base"
-	func SetupGiteaRoot
+forgejo.org/modules/forgefed
+	NewForgeUndoLike
+	ForgeUndoLike.UnmarshalJSON
+	ForgeUndoLike.Validate
+	GetItemByType
+	JSONUnmarshalerFn
+	NotEmpty
+	ToRepository
+	OnRepository
 
-package "code.gitea.io/gitea/modules/cache"
-	func GetInt
-	func WithNoCacheContext
-	func RemoveContextData
+forgejo.org/modules/git
+	AllowLFSFiltersArgs
+	AddChanges
+	AddChangesWithArgs
+	CommitChanges
+	CommitChangesWithArgs
+	SetUpdateHook
+	openRepositoryWithDefaultContext
+	ToEntryMode
 
-package "code.gitea.io/gitea/modules/charset"
-	func (*BreakWriter).Write
+forgejo.org/modules/gitrepo
+	GetBranchCommitID
+	GetWikiDefaultBranch
 
-package "code.gitea.io/gitea/modules/emoji"
-	func ReplaceCodes
+forgejo.org/modules/graceful
+	Manager.TerminateContext
+	Manager.Err
+	Manager.Value
+	Manager.Deadline
 
-package "code.gitea.io/gitea/modules/eventsource"
-	func (*Event).String
+forgejo.org/modules/hcaptcha
+	WithHTTP
 
-package "code.gitea.io/gitea/modules/git"
-	func AllowLFSFiltersArgs
-	func AddChanges
-	func AddChangesWithArgs
-	func CommitChanges
-	func CommitChangesWithArgs
-	func IsErrExecTimeout
-	func (ErrExecTimeout).Error
-	func (ErrUnsupportedVersion).Error
-	func SetUpdateHook
-	func GetObjectFormatOfRepo
-	func openRepositoryWithDefaultContext
-	func IsTagExist
-	func ToEntryMode
-	func (*LimitedReaderCloser).Read
-	func (*LimitedReaderCloser).Close
+forgejo.org/modules/hostmatcher
+	HostMatchList.AppendPattern
 
-package "code.gitea.io/gitea/modules/gitgraph"
-	func (*Parser).Reset
+forgejo.org/modules/json
+	StdJSON.Marshal
+	StdJSON.Unmarshal
+	StdJSON.NewEncoder
+	StdJSON.NewDecoder
+	StdJSON.Indent
 
-package "code.gitea.io/gitea/modules/gitrepo"
-	func GetBranchCommitID
-	func GetWikiDefaultBranch
+forgejo.org/modules/log
+	NewEventWriterBuffer
 
-package "code.gitea.io/gitea/modules/graceful"
-	func (*Manager).TerminateContext
-	func (*Manager).Err
-	func (*Manager).Value
-	func (*Manager).Deadline
+forgejo.org/modules/markup
+	GetRendererByType
+	RenderString
+	IsMarkupFile
 
-package "code.gitea.io/gitea/modules/hcaptcha"
-	func WithHTTP
+forgejo.org/modules/markup/console
+	Render
+	RenderString
 
-package "code.gitea.io/gitea/modules/json"
-	func (StdJSON).Marshal
-	func (StdJSON).Unmarshal
-	func (StdJSON).NewEncoder
-	func (StdJSON).NewDecoder
-	func (StdJSON).Indent
+forgejo.org/modules/markup/markdown
+	RenderRawString
 
-package "code.gitea.io/gitea/modules/markup"
-	func IsSameDomain
-	func GetRendererByType
-	func RenderString
-	func IsMarkupFile
+forgejo.org/modules/markup/mdstripper
+	stripRenderer.AddOptions
+	StripMarkdown
 
-package "code.gitea.io/gitea/modules/markup/console"
-	func Render
-	func RenderString
+forgejo.org/modules/markup/orgmode
+	RenderString
 
-package "code.gitea.io/gitea/modules/markup/markdown"
-	func IsDetails
-	func IsSummary
-	func IsTaskCheckBoxListItem
-	func IsIcon
-	func RenderRawString
+forgejo.org/modules/process
+	Manager.ExecTimeout
 
-package "code.gitea.io/gitea/modules/markup/markdown/math"
-	func WithInlineDollarParser
-	func WithBlockDollarParser
+forgejo.org/modules/queue
+	newBaseChannelSimple
+	newBaseChannelUnique
+	newBaseRedisSimple
+	newBaseRedisUnique
+	testStateRecorder.Records
+	testStateRecorder.Reset
+	newWorkerPoolQueueForTest
 
-package "code.gitea.io/gitea/modules/markup/mdstripper"
-	func StripMarkdown
+forgejo.org/modules/queue/lqinternal
+	QueueItemIDBytes
+	QueueItemKeyBytes
+	ListLevelQueueKeys
 
-package "code.gitea.io/gitea/modules/markup/orgmode"
-	func RenderString
+forgejo.org/modules/setting
+	NewConfigProviderFromData
+	GitConfigType.GetOption
+	InitLoggersForTest
 
-package "code.gitea.io/gitea/modules/private"
-	func ActionsRunnerRegister
+forgejo.org/modules/sync
+	StatusTable.Start
+	StatusTable.IsRunning
 
-package "code.gitea.io/gitea/modules/process"
-	func (*Manager).ExecTimeout
+forgejo.org/modules/timeutil
+	GetExecutableModTime
+	MockSet
+	MockUnset
 
-package "code.gitea.io/gitea/modules/queue"
-	func newBaseChannelSimple
-	func newBaseChannelUnique
-	func newBaseRedisSimple
-	func newBaseRedisUnique
-	func newWorkerPoolQueueForTest
+forgejo.org/modules/translation
+	MockLocale.Language
+	MockLocale.TrString
+	MockLocale.Tr
+	MockLocale.TrN
+	MockLocale.TrPluralString
+	MockLocale.TrPluralStringAllForms
+	MockLocale.TrSize
+	MockLocale.HasKey
+	MockLocale.PrettyNumber
 
-package "code.gitea.io/gitea/modules/queue/lqinternal"
-	func QueueItemIDBytes
-	func QueueItemKeyBytes
-	func ListLevelQueueKeys
+forgejo.org/modules/translation/localeiter
+	IterateMessagesContent
 
-package "code.gitea.io/gitea/modules/setting"
-	func NewConfigProviderFromData
-	func (*GitConfigType).GetOption
-	func InitLoggersForTest
+forgejo.org/modules/util
+	OptionalArg
 
-package "code.gitea.io/gitea/modules/storage"
-	func (ErrInvalidConfiguration).Error
-	func IsErrInvalidConfiguration
+forgejo.org/modules/util/filebuffer
+	CreateFromReader
 
-package "code.gitea.io/gitea/modules/structs"
-	func ParseCreateHook
-	func ParsePushHook
+forgejo.org/modules/validation
+	IsErrNotValid
 
-package "code.gitea.io/gitea/modules/sync"
-	func (*StatusTable).Start
-	func (*StatusTable).IsRunning
+forgejo.org/modules/web
+	RouteMock
+	RouteMockReset
 
-package "code.gitea.io/gitea/modules/testlogger"
-	func (*testLoggerWriterCloser).pushT
-	func (*testLoggerWriterCloser).Log
-	func (*testLoggerWriterCloser).recordError
-	func (*testLoggerWriterCloser).printMsg
-	func (*testLoggerWriterCloser).popT
-	func (*testLoggerWriterCloser).Reset
-	func PrintCurrentTest
-	func Printf
-	func NewTestLoggerWriter
-	func (*TestLogEventWriter).Base
-	func (*TestLogEventWriter).GetLevel
-	func (*TestLogEventWriter).GetWriterName
-	func (*TestLogEventWriter).GetWriterType
-	func (*TestLogEventWriter).Run
+forgejo.org/modules/zstd
+	NewWriter
+	Writer.Write
+	Writer.Close
 
-package "code.gitea.io/gitea/modules/timeutil"
-	func GetExecutableModTime
-	func MockSet
-	func MockUnset
+forgejo.org/routers/web/org
+	MustEnableProjects
 
-package "code.gitea.io/gitea/modules/translation"
-	func (MockLocale).Language
-	func (MockLocale).TrString
-	func (MockLocale).Tr
-	func (MockLocale).TrN
-	func (MockLocale).PrettyNumber
+forgejo.org/services/context
+	GetPrivateContext
 
-package "code.gitea.io/gitea/modules/util/filebuffer"
-	func CreateFromReader
+forgejo.org/services/repository
+	IsErrForkAlreadyExist
 
-package "code.gitea.io/gitea/modules/web"
-	func RouteMock
-	func RouteMockReset
+forgejo.org/services/repository/files
+	ContentType.String
 
-package "code.gitea.io/gitea/modules/web/middleware"
-	func DeleteLocaleCookie
+forgejo.org/services/repository/gitgraph
+	Parser.Reset
 
-package "code.gitea.io/gitea/routers/web"
-	func NotFound
-
-package "code.gitea.io/gitea/routers/web/org"
-	func MustEnableProjects
-	func getActionIssues
-	func UpdateIssueProject
-
-package "code.gitea.io/gitea/services/context"
-	func GetPrivateContext
-
-package "code.gitea.io/gitea/services/convert"
-	func ToSecret
-
-package "code.gitea.io/gitea/services/forms"
-	func (*DeadlineForm).Validate
-
-package "code.gitea.io/gitea/services/pull"
-	func IsCommitStatusContextSuccess
-
-package "code.gitea.io/gitea/services/repository"
-	func IsErrForkAlreadyExist
-
-package "code.gitea.io/gitea/services/repository/archiver"
-	func ArchiveRepository
-
-package "code.gitea.io/gitea/services/repository/files"
-	func (*ContentType).String
-	func GetFileResponseFromCommit
-	func (*TemporaryUploadRepository).GetLastCommit
-	func (*TemporaryUploadRepository).GetLastCommitByRef
-
-package "code.gitea.io/gitea/services/webhook"
-	func NewNotifier
-	func List
+forgejo.org/services/webhook
+	NewNotifier
 

.devcontainer/devcontainer.json

@@ -1,16 +1,13 @@
 {
   "name": "Gitea DevContainer",
-  "image": "mcr.microsoft.com/devcontainers/go:1.21-bullseye",
+  "image": "mcr.microsoft.com/devcontainers/go:1.24-bullseye",
   "features": {
     // installs nodejs into container
     "ghcr.io/devcontainers/features/node:1": {
-      "version": "20"
+      "version": "22"
     },
-    "ghcr.io/devcontainers/features/git-lfs:1.1.0": {},
-    "ghcr.io/devcontainers-contrib/features/poetry:2": {},
-    "ghcr.io/devcontainers/features/python:1": {
-      "version": "3.12"
-    }
+    "ghcr.io/devcontainers/features/git-lfs:1.2.3": {},
+    "ghcr.io/warrenbuckley/codespace-features/sqlite:1": {}
   },
   "customizations": {
     "vscode": {
@@ -25,8 +22,9 @@
         "Vue.volar",
         "ms-azuretools.vscode-docker",
         "vitest.explorer",
-        "qwtel.sqlite-viewer",
-        "GitHub.vscode-pull-request-github"
+        "cweijan.vscode-database-client2",
+        "GitHub.vscode-pull-request-github",
+        "Azurite.azurite"
       ]
     }
   },

.dockerignore

@@ -34,6 +34,7 @@ _testmain.go
 
 *coverage.out
 coverage.all
+coverage/
 cpu.out
 
 /modules/migration/bindata.go
@@ -77,7 +78,6 @@ cpu.out
 /public/assets/css
 /public/assets/fonts
 /public/assets/img/avatar
-/public/assets/img/webpack
 /vendor
 /web_src/fomantic/node_modules
 /web_src/fomantic/build/*
@@ -95,6 +95,9 @@ cpu.out
 /.air
 /.go-licenses
 
+# Files and folders that were previously generated
+/public/assets/img/webpack
+
 # Snapcraft
 snap/.snapcraft/
 parts/

.editorconfig

@@ -9,7 +9,10 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[*.{go,tmpl,html}]
+[{*.{go,tmpl,html},Makefile,go.mod}]
+indent_style = tab
+
+[go.*]
 indent_style = tab
 
 [templates/custom/*.tmpl]
@@ -21,8 +24,13 @@ indent_style = space
 [templates/user/auth/oidc_wellknown.tmpl]
 indent_style = space
 
-[Makefile]
-indent_style = tab
-
 [*.svg]
 insert_final_newline = false
+
+[options/locale/locale_*.ini]
+insert_final_newline = false
+
+# Weblate JSON output defaults to four spaces
+[options/locale_next/locale_*.json]
+indent_style = space
+indent_size = 4

.envrc.example

@@ -0,0 +1 @@
+use flake

.eslintrc.yaml

@@ -1,841 +0,0 @@
-root: true
-reportUnusedDisableDirectives: true
-
-ignorePatterns:
-  - /web_src/js/vendor
-
-parserOptions:
-  sourceType: module
-  ecmaVersion: latest
-
-plugins:
-  - "@eslint-community/eslint-plugin-eslint-comments"
-  - "@stylistic/eslint-plugin-js"
-  - eslint-plugin-array-func
-  - eslint-plugin-github
-  - eslint-plugin-i
-  - eslint-plugin-jquery
-  - eslint-plugin-no-jquery
-  - eslint-plugin-no-use-extend-native
-  - eslint-plugin-regexp
-  - eslint-plugin-sonarjs
-  - eslint-plugin-unicorn
-  - eslint-plugin-vitest
-  - eslint-plugin-vitest-globals
-  - eslint-plugin-wc
-
-env:
-  es2024: true
-  node: true
-
-overrides:
-  - files: ["web_src/**/*"]
-    globals:
-      __webpack_public_path__: true
-      process: false # https://github.com/webpack/webpack/issues/15833
-  - files: ["web_src/**/*", "docs/**/*"]
-    env:
-      browser: true
-      node: false
-  - files: ["web_src/**/*worker.*"]
-    env:
-      worker: true
-    rules:
-      no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, status, statusbar, stop, toolbar, top]
-  - files: ["*.config.*"]
-    rules:
-      i/no-unused-modules: [0]
-  - files: ["**/*.test.*", "web_src/js/test/setup.js"]
-    env:
-      vitest-globals/env: true
-    rules:
-      vitest/consistent-test-filename: [0]
-      vitest/consistent-test-it: [0]
-      vitest/expect-expect: [0]
-      vitest/max-expects: [0]
-      vitest/max-nested-describe: [0]
-      vitest/no-alias-methods: [0]
-      vitest/no-commented-out-tests: [0]
-      vitest/no-conditional-expect: [0]
-      vitest/no-conditional-in-test: [0]
-      vitest/no-conditional-tests: [0]
-      vitest/no-disabled-tests: [0]
-      vitest/no-done-callback: [0]
-      vitest/no-duplicate-hooks: [0]
-      vitest/no-focused-tests: [0]
-      vitest/no-hooks: [0]
-      vitest/no-identical-title: [2]
-      vitest/no-interpolation-in-snapshots: [0]
-      vitest/no-large-snapshots: [0]
-      vitest/no-mocks-import: [0]
-      vitest/no-restricted-matchers: [0]
-      vitest/no-restricted-vi-methods: [0]
-      vitest/no-standalone-expect: [0]
-      vitest/no-test-prefixes: [0]
-      vitest/no-test-return-statement: [0]
-      vitest/prefer-called-with: [0]
-      vitest/prefer-comparison-matcher: [0]
-      vitest/prefer-each: [0]
-      vitest/prefer-equality-matcher: [0]
-      vitest/prefer-expect-resolves: [0]
-      vitest/prefer-hooks-in-order: [0]
-      vitest/prefer-hooks-on-top: [2]
-      vitest/prefer-lowercase-title: [0]
-      vitest/prefer-mock-promise-shorthand: [0]
-      vitest/prefer-snapshot-hint: [0]
-      vitest/prefer-spy-on: [0]
-      vitest/prefer-strict-equal: [0]
-      vitest/prefer-to-be: [0]
-      vitest/prefer-to-be-falsy: [0]
-      vitest/prefer-to-be-object: [0]
-      vitest/prefer-to-be-truthy: [0]
-      vitest/prefer-to-contain: [0]
-      vitest/prefer-to-have-length: [0]
-      vitest/prefer-todo: [0]
-      vitest/require-hook: [0]
-      vitest/require-to-throw-message: [0]
-      vitest/require-top-level-describe: [0]
-      vitest/valid-describe-callback: [2]
-      vitest/valid-expect: [2]
-      vitest/valid-title: [2]
-  - files: ["web_src/js/modules/fetch.js", "web_src/js/standalone/**/*"]
-    rules:
-      no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement, SequenceExpression]
-
-rules:
-  "@eslint-community/eslint-comments/disable-enable-pair": [2]
-  "@eslint-community/eslint-comments/no-aggregating-enable": [2]
-  "@eslint-community/eslint-comments/no-duplicate-disable": [2]
-  "@eslint-community/eslint-comments/no-restricted-disable": [0]
-  "@eslint-community/eslint-comments/no-unlimited-disable": [2]
-  "@eslint-community/eslint-comments/no-unused-disable": [2]
-  "@eslint-community/eslint-comments/no-unused-enable": [2]
-  "@eslint-community/eslint-comments/no-use": [0]
-  "@eslint-community/eslint-comments/require-description": [0]
-  "@stylistic/js/array-bracket-newline": [0]
-  "@stylistic/js/array-bracket-spacing": [2, never]
-  "@stylistic/js/array-element-newline": [0]
-  "@stylistic/js/arrow-parens": [2, always]
-  "@stylistic/js/arrow-spacing": [2, {before: true, after: true}]
-  "@stylistic/js/block-spacing": [0]
-  "@stylistic/js/brace-style": [2, 1tbs, {allowSingleLine: true}]
-  "@stylistic/js/comma-dangle": [2, always-multiline]
-  "@stylistic/js/comma-spacing": [2, {before: false, after: true}]
-  "@stylistic/js/comma-style": [2, last]
-  "@stylistic/js/computed-property-spacing": [2, never]
-  "@stylistic/js/dot-location": [2, property]
-  "@stylistic/js/eol-last": [2]
-  "@stylistic/js/function-call-spacing": [2, never]
-  "@stylistic/js/function-call-argument-newline": [0]
-  "@stylistic/js/function-paren-newline": [0]
-  "@stylistic/js/generator-star-spacing": [0]
-  "@stylistic/js/implicit-arrow-linebreak": [0]
-  "@stylistic/js/indent": [2, 2, {ignoreComments: true, SwitchCase: 1}]
-  "@stylistic/js/key-spacing": [2]
-  "@stylistic/js/keyword-spacing": [2]
-  "@stylistic/js/linebreak-style": [2, unix]
-  "@stylistic/js/lines-around-comment": [0]
-  "@stylistic/js/lines-between-class-members": [0]
-  "@stylistic/js/max-len": [0]
-  "@stylistic/js/max-statements-per-line": [0]
-  "@stylistic/js/multiline-ternary": [0]
-  "@stylistic/js/new-parens": [2]
-  "@stylistic/js/newline-per-chained-call": [0]
-  "@stylistic/js/no-confusing-arrow": [0]
-  "@stylistic/js/no-extra-parens": [0]
-  "@stylistic/js/no-extra-semi": [2]
-  "@stylistic/js/no-floating-decimal": [0]
-  "@stylistic/js/no-mixed-operators": [0]
-  "@stylistic/js/no-mixed-spaces-and-tabs": [2]
-  "@stylistic/js/no-multi-spaces": [2, {ignoreEOLComments: true, exceptions: {Property: true}}]
-  "@stylistic/js/no-multiple-empty-lines": [2, {max: 1, maxEOF: 0, maxBOF: 0}]
-  "@stylistic/js/no-tabs": [2]
-  "@stylistic/js/no-trailing-spaces": [2]
-  "@stylistic/js/no-whitespace-before-property": [2]
-  "@stylistic/js/nonblock-statement-body-position": [2]
-  "@stylistic/js/object-curly-newline": [0]
-  "@stylistic/js/object-curly-spacing": [2, never]
-  "@stylistic/js/object-property-newline": [0]
-  "@stylistic/js/one-var-declaration-per-line": [0]
-  "@stylistic/js/operator-linebreak": [2, after]
-  "@stylistic/js/padded-blocks": [2, never]
-  "@stylistic/js/padding-line-between-statements": [0]
-  "@stylistic/js/quote-props": [0]
-  "@stylistic/js/quotes": [2, single, {avoidEscape: true, allowTemplateLiterals: true}]
-  "@stylistic/js/rest-spread-spacing": [2, never]
-  "@stylistic/js/semi": [2, always, {omitLastInOneLineBlock: true}]
-  "@stylistic/js/semi-spacing": [2, {before: false, after: true}]
-  "@stylistic/js/semi-style": [2, last]
-  "@stylistic/js/space-before-blocks": [2, always]
-  "@stylistic/js/space-before-function-paren": [2, {anonymous: ignore, named: never, asyncArrow: always}]
-  "@stylistic/js/space-in-parens": [2, never]
-  "@stylistic/js/space-infix-ops": [2]
-  "@stylistic/js/space-unary-ops": [2]
-  "@stylistic/js/spaced-comment": [2, always]
-  "@stylistic/js/switch-colon-spacing": [2]
-  "@stylistic/js/template-curly-spacing": [2, never]
-  "@stylistic/js/template-tag-spacing": [2, never]
-  "@stylistic/js/wrap-iife": [2, inside]
-  "@stylistic/js/wrap-regex": [0]
-  "@stylistic/js/yield-star-spacing": [2, after]
-  accessor-pairs: [2]
-  array-callback-return: [2, {checkForEach: true}]
-  array-func/avoid-reverse: [2]
-  array-func/from-map: [2]
-  array-func/no-unnecessary-this-arg: [2]
-  array-func/prefer-array-from: [2]
-  array-func/prefer-flat-map: [0] # handled by unicorn/prefer-array-flat-map
-  array-func/prefer-flat: [0] # handled by unicorn/prefer-array-flat
-  arrow-body-style: [0]
-  block-scoped-var: [2]
-  camelcase: [0]
-  capitalized-comments: [0]
-  class-methods-use-this: [0]
-  complexity: [0]
-  consistent-return: [0]
-  consistent-this: [0]
-  constructor-super: [2]
-  curly: [0]
-  default-case-last: [2]
-  default-case: [0]
-  default-param-last: [0]
-  dot-notation: [0]
-  eqeqeq: [2]
-  for-direction: [2]
-  func-name-matching: [2]
-  func-names: [0]
-  func-style: [0]
-  getter-return: [2]
-  github/a11y-aria-label-is-well-formatted: [0]
-  github/a11y-no-title-attribute: [0]
-  github/a11y-no-visually-hidden-interactive-element: [0]
-  github/a11y-role-supports-aria-props: [0]
-  github/a11y-svg-has-accessible-name: [0]
-  github/array-foreach: [0]
-  github/async-currenttarget: [2]
-  github/async-preventdefault: [2]
-  github/authenticity-token: [0]
-  github/get-attribute: [0]
-  github/js-class-name: [0]
-  github/no-blur: [0]
-  github/no-d-none: [0]
-  github/no-dataset: [2]
-  github/no-dynamic-script-tag: [2]
-  github/no-implicit-buggy-globals: [2]
-  github/no-inner-html: [0]
-  github/no-innerText: [2]
-  github/no-then: [2]
-  github/no-useless-passive: [2]
-  github/prefer-observers: [2]
-  github/require-passive-events: [2]
-  github/unescaped-html-literal: [0]
-  grouped-accessor-pairs: [2]
-  guard-for-in: [0]
-  id-blacklist: [0]
-  id-length: [0]
-  id-match: [0]
-  i/consistent-type-specifier-style: [0]
-  i/default: [0]
-  i/dynamic-import-chunkname: [0]
-  i/export: [2]
-  i/exports-last: [0]
-  i/extensions: [2, always, {ignorePackages: true}]
-  i/first: [2]
-  i/group-exports: [0]
-  i/max-dependencies: [0]
-  i/named: [2]
-  i/namespace: [0]
-  i/newline-after-import: [0]
-  i/no-absolute-path: [0]
-  i/no-amd: [2]
-  i/no-anonymous-default-export: [0]
-  i/no-commonjs: [2]
-  i/no-cycle: [2, {ignoreExternal: true, maxDepth: 1}]
-  i/no-default-export: [0]
-  i/no-deprecated: [0]
-  i/no-dynamic-require: [0]
-  i/no-empty-named-blocks: [2]
-  i/no-extraneous-dependencies: [2]
-  i/no-import-module-exports: [0]
-  i/no-internal-modules: [0]
-  i/no-mutable-exports: [0]
-  i/no-named-as-default-member: [0]
-  i/no-named-as-default: [2]
-  i/no-named-default: [0]
-  i/no-named-export: [0]
-  i/no-namespace: [0]
-  i/no-nodejs-modules: [0]
-  i/no-relative-packages: [0]
-  i/no-relative-parent-imports: [0]
-  i/no-restricted-paths: [0]
-  i/no-self-import: [2]
-  i/no-unassigned-import: [0]
-  i/no-unresolved: [2, {commonjs: true, ignore: ["\\?.+$", ^vitest/]}]
-  i/no-unused-modules: [2, {unusedExports: true}]
-  i/no-useless-path-segments: [2, {commonjs: true}]
-  i/no-webpack-loader-syntax: [2]
-  i/order: [0]
-  i/prefer-default-export: [0]
-  i/unambiguous: [0]
-  init-declarations: [0]
-  jquery/no-ajax-events: [2]
-  jquery/no-ajax: [2]
-  jquery/no-animate: [2]
-  jquery/no-attr: [2]
-  jquery/no-bind: [2]
-  jquery/no-class: [0]
-  jquery/no-clone: [2]
-  jquery/no-closest: [0]
-  jquery/no-css: [2]
-  jquery/no-data: [0]
-  jquery/no-deferred: [2]
-  jquery/no-delegate: [2]
-  jquery/no-each: [0]
-  jquery/no-extend: [2]
-  jquery/no-fade: [2]
-  jquery/no-filter: [0]
-  jquery/no-find: [0]
-  jquery/no-global-eval: [2]
-  jquery/no-grep: [2]
-  jquery/no-has: [2]
-  jquery/no-hide: [2]
-  jquery/no-html: [0]
-  jquery/no-in-array: [2]
-  jquery/no-is-array: [2]
-  jquery/no-is-function: [2]
-  jquery/no-is: [2]
-  jquery/no-load: [2]
-  jquery/no-map: [2]
-  jquery/no-merge: [2]
-  jquery/no-param: [2]
-  jquery/no-parent: [0]
-  jquery/no-parents: [0]
-  jquery/no-parse-html: [2]
-  jquery/no-prop: [2]
-  jquery/no-proxy: [2]
-  jquery/no-ready: [2]
-  jquery/no-serialize: [2]
-  jquery/no-show: [2]
-  jquery/no-size: [2]
-  jquery/no-sizzle: [0]
-  jquery/no-slide: [0]
-  jquery/no-submit: [0]
-  jquery/no-text: [0]
-  jquery/no-toggle: [2]
-  jquery/no-trigger: [0]
-  jquery/no-trim: [2]
-  jquery/no-val: [0]
-  jquery/no-when: [2]
-  jquery/no-wrap: [2]
-  line-comment-position: [0]
-  logical-assignment-operators: [0]
-  max-classes-per-file: [0]
-  max-depth: [0]
-  max-lines-per-function: [0]
-  max-lines: [0]
-  max-nested-callbacks: [0]
-  max-params: [0]
-  max-statements: [0]
-  multiline-comment-style: [2, separate-lines]
-  new-cap: [0]
-  no-alert: [0]
-  no-array-constructor: [2]
-  no-async-promise-executor: [0]
-  no-await-in-loop: [0]
-  no-bitwise: [0]
-  no-buffer-constructor: [0]
-  no-caller: [2]
-  no-case-declarations: [2]
-  no-class-assign: [2]
-  no-compare-neg-zero: [2]
-  no-cond-assign: [2, except-parens]
-  no-console: [1, {allow: [debug, info, warn, error]}]
-  no-const-assign: [2]
-  no-constant-binary-expression: [2]
-  no-constant-condition: [0]
-  no-constructor-return: [2]
-  no-continue: [0]
-  no-control-regex: [0]
-  no-debugger: [1]
-  no-delete-var: [2]
-  no-div-regex: [0]
-  no-dupe-args: [2]
-  no-dupe-class-members: [2]
-  no-dupe-else-if: [2]
-  no-dupe-keys: [2]
-  no-duplicate-case: [2]
-  no-duplicate-imports: [2]
-  no-else-return: [2]
-  no-empty-character-class: [2]
-  no-empty-function: [0]
-  no-empty-pattern: [2]
-  no-empty-static-block: [2]
-  no-empty: [2, {allowEmptyCatch: true}]
-  no-eq-null: [2]
-  no-eval: [2]
-  no-ex-assign: [2]
-  no-extend-native: [2]
-  no-extra-bind: [2]
-  no-extra-boolean-cast: [2]
-  no-extra-label: [0]
-  no-fallthrough: [2]
-  no-func-assign: [2]
-  no-global-assign: [2]
-  no-implicit-coercion: [2]
-  no-implicit-globals: [0]
-  no-implied-eval: [2]
-  no-import-assign: [2]
-  no-inline-comments: [0]
-  no-inner-declarations: [2]
-  no-invalid-regexp: [2]
-  no-invalid-this: [0]
-  no-irregular-whitespace: [2]
-  no-iterator: [2]
-  no-jquery/no-ajax-events: [2]
-  no-jquery/no-ajax: [2]
-  no-jquery/no-and-self: [2]
-  no-jquery/no-animate-toggle: [2]
-  no-jquery/no-animate: [2]
-  no-jquery/no-append-html: [2]
-  no-jquery/no-attr: [2]
-  no-jquery/no-bind: [2]
-  no-jquery/no-box-model: [2]
-  no-jquery/no-browser: [2]
-  no-jquery/no-camel-case: [2]
-  no-jquery/no-class-state: [0]
-  no-jquery/no-class: [0]
-  no-jquery/no-clone: [2]
-  no-jquery/no-closest: [0]
-  no-jquery/no-constructor-attributes: [2]
-  no-jquery/no-contains: [2]
-  no-jquery/no-context-prop: [2]
-  no-jquery/no-css: [2]
-  no-jquery/no-data: [0]
-  no-jquery/no-deferred: [2]
-  no-jquery/no-delegate: [2]
-  no-jquery/no-each-collection: [0]
-  no-jquery/no-each-util: [0]
-  no-jquery/no-each: [0]
-  no-jquery/no-error-shorthand: [2]
-  no-jquery/no-error: [2]
-  no-jquery/no-escape-selector: [2]
-  no-jquery/no-event-shorthand: [2]
-  no-jquery/no-extend: [2]
-  no-jquery/no-fade: [2]
-  no-jquery/no-filter: [0]
-  no-jquery/no-find-collection: [0]
-  no-jquery/no-find-util: [2]
-  no-jquery/no-find: [0]
-  no-jquery/no-fx-interval: [2]
-  no-jquery/no-global-eval: [2]
-  no-jquery/no-global-selector: [0]
-  no-jquery/no-grep: [2]
-  no-jquery/no-has: [2]
-  no-jquery/no-hold-ready: [2]
-  no-jquery/no-html: [0]
-  no-jquery/no-in-array: [2]
-  no-jquery/no-is-array: [2]
-  no-jquery/no-is-empty-object: [2]
-  no-jquery/no-is-function: [2]
-  no-jquery/no-is-numeric: [2]
-  no-jquery/no-is-plain-object: [2]
-  no-jquery/no-is-window: [2]
-  no-jquery/no-is: [2]
-  no-jquery/no-jquery-constructor: [0]
-  no-jquery/no-live: [2]
-  no-jquery/no-load-shorthand: [2]
-  no-jquery/no-load: [2]
-  no-jquery/no-map-collection: [0]
-  no-jquery/no-map-util: [2]
-  no-jquery/no-map: [2]
-  no-jquery/no-merge: [2]
-  no-jquery/no-node-name: [2]
-  no-jquery/no-noop: [2]
-  no-jquery/no-now: [2]
-  no-jquery/no-on-ready: [2]
-  no-jquery/no-other-methods: [0]
-  no-jquery/no-other-utils: [2]
-  no-jquery/no-param: [2]
-  no-jquery/no-parent: [0]
-  no-jquery/no-parents: [0]
-  no-jquery/no-parse-html-literal: [0]
-  no-jquery/no-parse-html: [2]
-  no-jquery/no-parse-json: [2]
-  no-jquery/no-parse-xml: [2]
-  no-jquery/no-prop: [2]
-  no-jquery/no-proxy: [2]
-  no-jquery/no-ready-shorthand: [2]
-  no-jquery/no-ready: [2]
-  no-jquery/no-selector-prop: [2]
-  no-jquery/no-serialize: [2]
-  no-jquery/no-size: [2]
-  no-jquery/no-sizzle: [0]
-  no-jquery/no-slide: [2]
-  no-jquery/no-sub: [2]
-  no-jquery/no-support: [2]
-  no-jquery/no-text: [0]
-  no-jquery/no-trigger: [0]
-  no-jquery/no-trim: [2]
-  no-jquery/no-type: [2]
-  no-jquery/no-unique: [2]
-  no-jquery/no-unload-shorthand: [2]
-  no-jquery/no-val: [0]
-  no-jquery/no-visibility: [2]
-  no-jquery/no-when: [2]
-  no-jquery/no-wrap: [2]
-  no-jquery/variable-pattern: [2]
-  no-label-var: [2]
-  no-labels: [0] # handled by no-restricted-syntax
-  no-lone-blocks: [2]
-  no-lonely-if: [0]
-  no-loop-func: [0]
-  no-loss-of-precision: [2]
-  no-magic-numbers: [0]
-  no-misleading-character-class: [2]
-  no-multi-assign: [0]
-  no-multi-str: [2]
-  no-negated-condition: [0]
-  no-nested-ternary: [0]
-  no-new-func: [2]
-  no-new-native-nonconstructor: [2]
-  no-new-object: [2]
-  no-new-symbol: [2]
-  no-new-wrappers: [2]
-  no-new: [0]
-  no-nonoctal-decimal-escape: [2]
-  no-obj-calls: [2]
-  no-octal-escape: [2]
-  no-octal: [2]
-  no-param-reassign: [0]
-  no-plusplus: [0]
-  no-promise-executor-return: [0]
-  no-proto: [2]
-  no-prototype-builtins: [2]
-  no-redeclare: [2]
-  no-regex-spaces: [2]
-  no-restricted-exports: [0]
-  no-restricted-globals: [2, addEventListener, blur, close, closed, confirm, defaultStatus, defaultstatus, error, event, external, find, focus, frameElement, frames, history, innerHeight, innerWidth, isFinite, isNaN, length, location, locationbar, menubar, moveBy, moveTo, name, onblur, onerror, onfocus, onload, onresize, onunload, open, opener, opera, outerHeight, outerWidth, pageXOffset, pageYOffset, parent, print, removeEventListener, resizeBy, resizeTo, screen, screenLeft, screenTop, screenX, screenY, scroll, scrollbars, scrollBy, scrollTo, scrollX, scrollY, self, status, statusbar, stop, toolbar, top, __dirname, __filename]
-  no-restricted-imports: [0]
-  no-restricted-syntax: [2, WithStatement, ForInStatement, LabeledStatement, SequenceExpression, {selector: "CallExpression[callee.name='fetch']", message: "use modules/fetch.js instead"}]
-  no-return-assign: [0]
-  no-script-url: [2]
-  no-self-assign: [2, {props: true}]
-  no-self-compare: [2]
-  no-sequences: [2]
-  no-setter-return: [2]
-  no-shadow-restricted-names: [2]
-  no-shadow: [0]
-  no-sparse-arrays: [2]
-  no-template-curly-in-string: [2]
-  no-ternary: [0]
-  no-this-before-super: [2]
-  no-throw-literal: [2]
-  no-undef-init: [2]
-  no-undef: [2, {typeof: true}]
-  no-undefined: [0]
-  no-underscore-dangle: [0]
-  no-unexpected-multiline: [2]
-  no-unmodified-loop-condition: [2]
-  no-unneeded-ternary: [0]
-  no-unreachable-loop: [2]
-  no-unreachable: [2]
-  no-unsafe-finally: [2]
-  no-unsafe-negation: [2]
-  no-unused-expressions: [2]
-  no-unused-labels: [2]
-  no-unused-private-class-members: [2]
-  no-unused-vars: [2, {args: all, argsIgnorePattern: ^_, varsIgnorePattern: ^_, caughtErrorsIgnorePattern: ^_, destructuredArrayIgnorePattern: ^_, ignoreRestSiblings: false}]
-  no-use-before-define: [2, {functions: false, classes: true, variables: true, allowNamedExports: true}]
-  no-use-extend-native/no-use-extend-native: [2]
-  no-useless-backreference: [2]
-  no-useless-call: [2]
-  no-useless-catch: [2]
-  no-useless-computed-key: [2]
-  no-useless-concat: [2]
-  no-useless-constructor: [2]
-  no-useless-escape: [2]
-  no-useless-rename: [2]
-  no-useless-return: [2]
-  no-var: [2]
-  no-void: [2]
-  no-warning-comments: [0]
-  no-with: [0] # handled by no-restricted-syntax
-  object-shorthand: [2, always]
-  one-var-declaration-per-line: [0]
-  one-var: [0]
-  operator-assignment: [2, always]
-  operator-linebreak: [2, after]
-  prefer-arrow-callback: [2, {allowNamedFunctions: true, allowUnboundThis: true}]
-  prefer-const: [2, {destructuring: all, ignoreReadBeforeAssign: true}]
-  prefer-destructuring: [0]
-  prefer-exponentiation-operator: [2]
-  prefer-named-capture-group: [0]
-  prefer-numeric-literals: [2]
-  prefer-object-has-own: [2]
-  prefer-object-spread: [2]
-  prefer-promise-reject-errors: [2, {allowEmptyReject: false}]
-  prefer-regex-literals: [2]
-  prefer-rest-params: [2]
-  prefer-spread: [2]
-  prefer-template: [2]
-  radix: [2, as-needed]
-  regexp/confusing-quantifier: [2]
-  regexp/control-character-escape: [2]
-  regexp/hexadecimal-escape: [0]
-  regexp/letter-case: [0]
-  regexp/match-any: [2]
-  regexp/negation: [2]
-  regexp/no-contradiction-with-assertion: [0]
-  regexp/no-control-character: [0]
-  regexp/no-dupe-characters-character-class: [2]
-  regexp/no-dupe-disjunctions: [2]
-  regexp/no-empty-alternative: [2]
-  regexp/no-empty-capturing-group: [2]
-  regexp/no-empty-character-class: [0]
-  regexp/no-empty-group: [2]
-  regexp/no-empty-lookarounds-assertion: [2]
-  regexp/no-empty-string-literal: [2]
-  regexp/no-escape-backspace: [2]
-  regexp/no-extra-lookaround-assertions: [0]
-  regexp/no-invalid-regexp: [2]
-  regexp/no-invisible-character: [2]
-  regexp/no-lazy-ends: [2]
-  regexp/no-legacy-features: [2]
-  regexp/no-misleading-capturing-group: [0]
-  regexp/no-misleading-unicode-character: [0]
-  regexp/no-missing-g-flag: [2]
-  regexp/no-non-standard-flag: [2]
-  regexp/no-obscure-range: [2]
-  regexp/no-octal: [2]
-  regexp/no-optional-assertion: [2]
-  regexp/no-potentially-useless-backreference: [2]
-  regexp/no-standalone-backslash: [2]
-  regexp/no-super-linear-backtracking: [0]
-  regexp/no-super-linear-move: [0]
-  regexp/no-trivially-nested-assertion: [2]
-  regexp/no-trivially-nested-quantifier: [2]
-  regexp/no-unused-capturing-group: [0]
-  regexp/no-useless-assertions: [2]
-  regexp/no-useless-backreference: [2]
-  regexp/no-useless-character-class: [2]
-  regexp/no-useless-dollar-replacements: [2]
-  regexp/no-useless-escape: [2]
-  regexp/no-useless-flag: [2]
-  regexp/no-useless-lazy: [2]
-  regexp/no-useless-non-capturing-group: [2]
-  regexp/no-useless-quantifier: [2]
-  regexp/no-useless-range: [2]
-  regexp/no-useless-set-operand: [2]
-  regexp/no-useless-string-literal: [2]
-  regexp/no-useless-two-nums-quantifier: [2]
-  regexp/no-zero-quantifier: [2]
-  regexp/optimal-lookaround-quantifier: [2]
-  regexp/optimal-quantifier-concatenation: [0]
-  regexp/prefer-character-class: [0]
-  regexp/prefer-d: [0]
-  regexp/prefer-escape-replacement-dollar-char: [0]
-  regexp/prefer-lookaround: [0]
-  regexp/prefer-named-backreference: [0]
-  regexp/prefer-named-capture-group: [0]
-  regexp/prefer-named-replacement: [0]
-  regexp/prefer-plus-quantifier: [2]
-  regexp/prefer-predefined-assertion: [2]
-  regexp/prefer-quantifier: [0]
-  regexp/prefer-question-quantifier: [2]
-  regexp/prefer-range: [2]
-  regexp/prefer-regexp-exec: [2]
-  regexp/prefer-regexp-test: [2]
-  regexp/prefer-result-array-groups: [0]
-  regexp/prefer-set-operation: [2]
-  regexp/prefer-star-quantifier: [2]
-  regexp/prefer-unicode-codepoint-escapes: [2]
-  regexp/prefer-w: [0]
-  regexp/require-unicode-regexp: [0]
-  regexp/simplify-set-operations: [2]
-  regexp/sort-alternatives: [0]
-  regexp/sort-character-class-elements: [0]
-  regexp/sort-flags: [0]
-  regexp/strict: [2]
-  regexp/unicode-escape: [0]
-  regexp/use-ignore-case: [0]
-  require-atomic-updates: [0]
-  require-await: [0]
-  require-unicode-regexp: [0]
-  require-yield: [2]
-  sonarjs/cognitive-complexity: [0]
-  sonarjs/elseif-without-else: [0]
-  sonarjs/max-switch-cases: [0]
-  sonarjs/no-all-duplicated-branches: [2]
-  sonarjs/no-collapsible-if: [0]
-  sonarjs/no-collection-size-mischeck: [2]
-  sonarjs/no-duplicate-string: [0]
-  sonarjs/no-duplicated-branches: [0]
-  sonarjs/no-element-overwrite: [2]
-  sonarjs/no-empty-collection: [2]
-  sonarjs/no-extra-arguments: [2]
-  sonarjs/no-gratuitous-expressions: [2]
-  sonarjs/no-identical-conditions: [2]
-  sonarjs/no-identical-expressions: [2]
-  sonarjs/no-identical-functions: [2, 5]
-  sonarjs/no-ignored-return: [2]
-  sonarjs/no-inverted-boolean-check: [2]
-  sonarjs/no-nested-switch: [0]
-  sonarjs/no-nested-template-literals: [0]
-  sonarjs/no-one-iteration-loop: [2]
-  sonarjs/no-redundant-boolean: [2]
-  sonarjs/no-redundant-jump: [2]
-  sonarjs/no-same-line-conditional: [2]
-  sonarjs/no-small-switch: [0]
-  sonarjs/no-unused-collection: [2]
-  sonarjs/no-use-of-empty-return-value: [2]
-  sonarjs/no-useless-catch: [2]
-  sonarjs/non-existent-operator: [2]
-  sonarjs/prefer-immediate-return: [0]
-  sonarjs/prefer-object-literal: [0]
-  sonarjs/prefer-single-boolean-return: [0]
-  sonarjs/prefer-while: [2]
-  sort-imports: [0]
-  sort-keys: [0]
-  sort-vars: [0]
-  strict: [0]
-  symbol-description: [2]
-  unicode-bom: [2, never]
-  unicorn/better-regex: [0]
-  unicorn/catch-error-name: [0]
-  unicorn/consistent-destructuring: [2]
-  unicorn/consistent-function-scoping: [2]
-  unicorn/custom-error-definition: [0]
-  unicorn/empty-brace-spaces: [2]
-  unicorn/error-message: [0]
-  unicorn/escape-case: [0]
-  unicorn/expiring-todo-comments: [0]
-  unicorn/explicit-length-check: [0]
-  unicorn/filename-case: [0]
-  unicorn/import-index: [0]
-  unicorn/import-style: [0]
-  unicorn/new-for-builtins: [2]
-  unicorn/no-abusive-eslint-disable: [0]
-  unicorn/no-array-callback-reference: [0]
-  unicorn/no-array-for-each: [2]
-  unicorn/no-array-method-this-argument: [2]
-  unicorn/no-array-push-push: [2]
-  unicorn/no-array-reduce: [2]
-  unicorn/no-await-expression-member: [0]
-  unicorn/no-console-spaces: [0]
-  unicorn/no-document-cookie: [2]
-  unicorn/no-empty-file: [2]
-  unicorn/no-for-loop: [0]
-  unicorn/no-hex-escape: [0]
-  unicorn/no-instanceof-array: [0]
-  unicorn/no-invalid-remove-event-listener: [2]
-  unicorn/no-keyword-prefix: [0]
-  unicorn/no-lonely-if: [2]
-  unicorn/no-negated-condition: [0]
-  unicorn/no-nested-ternary: [0]
-  unicorn/no-new-array: [0]
-  unicorn/no-new-buffer: [0]
-  unicorn/no-null: [0]
-  unicorn/no-object-as-default-parameter: [0]
-  unicorn/no-process-exit: [0]
-  unicorn/no-static-only-class: [2]
-  unicorn/no-thenable: [2]
-  unicorn/no-this-assignment: [2]
-  unicorn/no-typeof-undefined: [2]
-  unicorn/no-unnecessary-await: [2]
-  unicorn/no-unnecessary-polyfills: [2]
-  unicorn/no-unreadable-array-destructuring: [0]
-  unicorn/no-unreadable-iife: [2]
-  unicorn/no-unused-properties: [2]
-  unicorn/no-useless-fallback-in-spread: [2]
-  unicorn/no-useless-length-check: [2]
-  unicorn/no-useless-promise-resolve-reject: [2]
-  unicorn/no-useless-spread: [2]
-  unicorn/no-useless-switch-case: [2]
-  unicorn/no-useless-undefined: [0]
-  unicorn/no-zero-fractions: [2]
-  unicorn/number-literal-case: [0]
-  unicorn/numeric-separators-style: [0]
-  unicorn/prefer-add-event-listener: [2]
-  unicorn/prefer-array-find: [2]
-  unicorn/prefer-array-flat-map: [2]
-  unicorn/prefer-array-flat: [2]
-  unicorn/prefer-array-index-of: [2]
-  unicorn/prefer-array-some: [2]
-  unicorn/prefer-at: [0]
-  unicorn/prefer-blob-reading-methods: [2]
-  unicorn/prefer-code-point: [0]
-  unicorn/prefer-date-now: [2]
-  unicorn/prefer-default-parameters: [0]
-  unicorn/prefer-dom-node-append: [2]
-  unicorn/prefer-dom-node-dataset: [0]
-  unicorn/prefer-dom-node-remove: [2]
-  unicorn/prefer-dom-node-text-content: [2]
-  unicorn/prefer-event-target: [2]
-  unicorn/prefer-export-from: [0]
-  unicorn/prefer-includes: [2]
-  unicorn/prefer-json-parse-buffer: [0]
-  unicorn/prefer-keyboard-event-key: [2]
-  unicorn/prefer-logical-operator-over-ternary: [2]
-  unicorn/prefer-math-trunc: [2]
-  unicorn/prefer-modern-dom-apis: [0]
-  unicorn/prefer-modern-math-apis: [2]
-  unicorn/prefer-module: [2]
-  unicorn/prefer-native-coercion-functions: [2]
-  unicorn/prefer-negative-index: [2]
-  unicorn/prefer-node-protocol: [2]
-  unicorn/prefer-number-properties: [0]
-  unicorn/prefer-object-from-entries: [2]
-  unicorn/prefer-object-has-own: [0]
-  unicorn/prefer-optional-catch-binding: [2]
-  unicorn/prefer-prototype-methods: [0]
-  unicorn/prefer-query-selector: [0]
-  unicorn/prefer-reflect-apply: [0]
-  unicorn/prefer-regexp-test: [2]
-  unicorn/prefer-set-has: [0]
-  unicorn/prefer-set-size: [2]
-  unicorn/prefer-spread: [0]
-  unicorn/prefer-string-replace-all: [0]
-  unicorn/prefer-string-slice: [0]
-  unicorn/prefer-string-starts-ends-with: [2]
-  unicorn/prefer-string-trim-start-end: [2]
-  unicorn/prefer-switch: [0]
-  unicorn/prefer-ternary: [0]
-  unicorn/prefer-text-content: [2]
-  unicorn/prefer-top-level-await: [0]
-  unicorn/prefer-type-error: [0]
-  unicorn/prevent-abbreviations: [0]
-  unicorn/relative-url-style: [2]
-  unicorn/require-array-join-separator: [2]
-  unicorn/require-number-to-fixed-digits-argument: [2]
-  unicorn/require-post-message-target-origin: [0]
-  unicorn/string-content: [0]
-  unicorn/switch-case-braces: [0]
-  unicorn/template-indent: [2]
-  unicorn/text-encoding-identifier-case: [0]
-  unicorn/throw-new-error: [2]
-  use-isnan: [2]
-  valid-typeof: [2, {requireStringLiterals: true}]
-  vars-on-top: [0]
-  wc/attach-shadow-constructor: [2]
-  wc/define-tag-after-class-definition: [0]
-  wc/expose-class-on-global: [0]
-  wc/file-name-matches-element: [2]
-  wc/guard-define-call: [0]
-  wc/guard-super-call: [2]
-  wc/max-elements-per-file: [0]
-  wc/no-child-traversal-in-attributechangedcallback: [2]
-  wc/no-child-traversal-in-connectedcallback: [2]
-  wc/no-closed-shadow-root: [2]
-  wc/no-constructor-attributes: [2]
-  wc/no-constructor-params: [2]
-  wc/no-constructor: [2]
-  wc/no-customized-built-in-elements: [2]
-  wc/no-exports-with-element: [0]
-  wc/no-invalid-element-name: [2]
-  wc/no-invalid-extends: [2]
-  wc/no-method-prefixed-with-on: [2]
-  wc/no-self-class: [2]
-  wc/no-typos: [2]
-  wc/require-listener-teardown: [2]
-  wc/tag-name-matches-class: [2]
-  yoda: [2, never]

.forgejo/cascading-pr-end-to-end

@@ -13,21 +13,22 @@ minor_version=$(make show-version-minor)
 
 cd $end_to_end
 
-if ! test -f forgejo/sources/$minor_version ; then
-    echo "FAIL: forgejo/sources/$minor_version does not exist in the end-to-end repository"
-    false
+if ! test -f forgejo/sources/$minor_version; then
+  echo "FAIL: forgejo/sources/$minor_version does not exist in the end-to-end repository"
+  false
 fi
 
-date > last-upgrade
+echo -n $minor_version >forgejo/build-from-sources
+date >last-upgrade
 
-if test -f "$forgejo_pr_or_ref" ; then
-    forgejo_pr=$forgejo_pr_or_ref
-    head_url=$(jq --raw-output .head.repo.html_url < $forgejo_pr)
-    test "$head_url" != null
-    branch=$(jq --raw-output .head.ref < $forgejo_pr)
-    test "$branch" != null
-    echo $head_url $branch $full_version > forgejo/sources/$minor_version
+if test -f "$forgejo_pr_or_ref"; then
+  forgejo_pr=$forgejo_pr_or_ref
+  head_url=$(jq --raw-output .head.repo.html_url <$forgejo_pr)
+  test "$head_url" != null
+  branch=$(jq --raw-output .head.ref <$forgejo_pr)
+  test "$branch" != null
+  echo $head_url $branch $full_version >forgejo/sources/$minor_version
 else
-    forgejo_ref=$forgejo_pr_or_ref
-    echo $GITHUB_SERVER_URL/$GITHUB_REPOSITORY ${forgejo_ref#refs/heads/} $full_version > forgejo/sources/$minor_version
+  forgejo_ref=$forgejo_pr_or_ref
+  echo $GITHUB_SERVER_URL/$GITHUB_REPOSITORY ${forgejo_ref#refs/heads/} $full_version >forgejo/sources/$minor_version
 fi

.forgejo/cascading-release-end-to-end

@@ -8,15 +8,15 @@ forgejo=$3
 forgejo_ref=$4
 
 cd $end_to_end
-date > last-upgrade
+date >last-upgrade
 organizations=lib/ORGANIZATIONS
-if ! test -f $organizations ; then
-    echo "$organizations file not found"
-    false
+if ! test -f $organizations; then
+  echo "$organizations file not found"
+  false
 fi
 #
-# do not include forgejo-experimental so that 7.0-test is found
-# in forgejo-integration where it was just built instead of
-# forgejo-experimental which was published by the previous build
+# Inverse the order of lookup because the goal in the release built
+# pipeline is to test the latest build, if available, instead of the
+# stable version by the same version.
 #
-echo forgejo forgejo-integration > $organizations
+echo forgejo-integration forgejo-experimental forgejo >$organizations

.forgejo/issue_template/bug-report-ui.yaml

@@ -1,6 +1,6 @@
 name: 🦋 Bug Report (web interface / frontend)
 description: Something doesn't look quite as it should?  Report it here!
-title: "[BUG] "
+title: "bug: "
 labels: ["bug/new-report", "forgejo/ui"]
 body:
 - type: markdown
@@ -13,16 +13,29 @@ body:
       - Please speak English, as this is the language all maintainers can speak and write.
       - Be as clear and concise as possible. A very verbose report is harder to interpret in a concrete way.
       - Be civil, and follow the [Forgejo Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
-      - Please make sure you are using the latest release of Forgejo and take a moment to [check that your issue hasn't been reported before](https://codeberg.org/forgejo/forgejo/issues?q=&type=all&labels=78137).
-      - Please give all relevant information below for bug reports, as incomplete details may result in the issue not being considered.
+      - Take a moment to [check that your issue hasn't been reported before](https://codeberg.org/forgejo/forgejo/issues?q=&type=all&labels=78137).
+- type: dropdown
+  id: can-reproduce
+  attributes:
+    label: Can you reproduce the bug on the Forgejo test instance?
+    description: |
+      Please try reproducing your issue at https://dev.next.forgejo.org.
+      It is running the latest development branch and will confirm the problem is not already fixed.
+      If you can reproduce it, provide a URL in the description.
+    options:
+    - "Yes"
+    - "No"
+  validations:
+    required: true
 - type: textarea
   id: description
   attributes:
     label: Description
     description: |
-      Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below).
-      If you think this is a JavaScript error, show us the JavaScript console.
-      If the error appears to relate to Forgejo the server, please also give us `DEBUG` level logs. (See https://forgejo.org/docs/latest/admin/logging-documentation/)
+      Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see above).
+      If you think this is a JavaScript error, include a copy of the JavaScript console.
+  validations:
+    required: true
 - type: textarea
   id: screenshots
   attributes:
@@ -35,20 +48,6 @@ body:
   attributes:
     label: Forgejo Version
     description: Forgejo version (or commit reference) your instance is running
-  validations:
-    required: true
-- type: dropdown
-  id: can-reproduce
-  attributes:
-    label: Can you reproduce the bug on Forgejo Next?
-    description: |
-      Please try reproducing your issue at [Forgejo Next](https://next.forgejo.org).
-      If you can reproduce it, please provide a URL in the Description field.
-    options:
-    - "Yes"
-    - "No"
-  validations:
-    required: true
 - type: input
   id: browser-ver
   attributes:
@@ -56,8 +55,3 @@ body:
     description: The browser and version that you are using to access Forgejo
   validations:
     required: true
-- type: input
-  id: os-ver
-  attributes:
-    label: Operating System
-    description: The operating system you are using to access Forgejo

.forgejo/issue_template/bug-report.yaml

@@ -1,6 +1,6 @@
 name: 🐛 Bug Report (server / backend)
 description: Found something you weren't expecting? Report it here!
-title: "[BUG] "
+title: "bug: "
 labels: bug/new-report
 body:
 - type: markdown
@@ -13,14 +13,26 @@ body:
       - Please speak English, as this is the language all maintainers can speak and write.
       - Be as clear and concise as possible. A very verbose report is harder to interpret in a concrete way.
       - Be civil, and follow the [Forgejo Code of Conduct](https://codeberg.org/forgejo/code-of-conduct).
-      - Please make sure you are using the latest release of Forgejo and take a moment to [check that your issue hasn't been reported before](https://codeberg.org/forgejo/forgejo/issues?q=&type=all&labels=78137).
-      - Please give all relevant information below for bug reports, as incomplete details may result in the issue not being considered.
+      - Take a moment to [check that your issue hasn't been reported before](https://codeberg.org/forgejo/forgejo/issues?q=&type=all&labels=78137).
+- type: dropdown
+  id: can-reproduce
+  attributes:
+    label: Can you reproduce the bug on the Forgejo test instance?
+    description: |
+      Please try reproducing your issue at https://dev.next.forgejo.org.
+      It is running the latest development branch and will confirm the problem is not already fixed.
+      If you can reproduce it, provide a URL in the description.
+    options:
+    - "Yes"
+    - "No"
+  validations:
+    required: true
 - type: textarea
   id: description
   attributes:
     label: Description
     description: |
-      Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see below).
+      Please provide a description of your issue here, with a URL if you were able to reproduce the issue (see above).
   validations:
     required: true
 - type: input
@@ -28,18 +40,14 @@ body:
   attributes:
     label: Forgejo Version
     description: Forgejo version (or commit reference) of your instance
-  validations:
-    required: true
-- type: dropdown
-  id: can-reproduce
+- type: textarea
+  id: run-info
   attributes:
-    label: Can you reproduce the bug on Forgejo Next?
+    label: How are you running Forgejo?
     description: |
-      Please try reproducing your issue at [Forgejo Next](https://next.forgejo.org).
-      If you can reproduce it, please provide a URL in the Description field.
-    options:
-    - "Yes"
-    - "No"
+      Please include information on whether you built Forgejo yourself, used one of our downloads, or are using some other package.
+      Please also tell us how you are running Forgejo, e.g. if it is being run from a container, a command-line, systemd etc.
+      If you are using a package or systemd tell us what distribution you are using.
   validations:
     required: true
 - type: textarea
@@ -53,31 +61,6 @@ body:
 
       Please copy and paste your logs here, with any sensitive information (e.g. API keys) removed/hidden.
       You can wrap your logs in `<details>...</details>` tags so it doesn't take up too much space in the issue.
-- type: textarea
-  id: screenshots
-  attributes:
-    label: Screenshots
-    description: If this issue involves the Web Interface, please provide one or more screenshots
-- type: input
-  id: git-ver
-  attributes:
-    label: Git Version
-    description: The version of git running on the server
-- type: input
-  id: os-ver
-  attributes:
-    label: Operating System
-    description: The operating system you are using to run Forgejo
-- type: textarea
-  id: run-info
-  attributes:
-    label: How are you running Forgejo?
-    description: |
-      Please include information on whether you built Forgejo yourself, used one of our downloads, or are using some other package.
-      Please also tell us how you are running Forgejo, e.g. if it is being run from docker, a command-line, systemd etc.
-      If you are using a package or systemd tell us what distribution you are using.
-  validations:
-    required: true
 - type: dropdown
   id: database
   attributes:
@@ -87,4 +70,3 @@ body:
     - SQLite
     - PostgreSQL
     - MySQL
-    - MSSQL

.forgejo/issue_template/config.yml

@@ -1,7 +1,7 @@
 contact_links:
   - name: 🔓 Security Reports
     url: mailto:security@forgejo.org
-    about: "Please email <security@forgejo.org> (GPG: `A4676E79`) instead of opening a public issue."
+    about: "Please email <security@forgejo.org> (See https://forgejo.org/.well-known/security.txt)."
   - name: 💬 Matrix Chat Room
     url: https://matrix.to/#/#forgejo-chat:matrix.org
     about: Please ask questions and discuss configuration or deployment problems here.

.forgejo/issue_template/feature-request.yaml

@@ -1,6 +1,6 @@
 name: 💡 Feature Request
 description: Got an idea for a feature that Forgejo doesn't have yet? Suggest it here!
-title: "[FEAT] "
+title: "feat: "
 labels: ["enhancement/feature"]
 body:
 - type: markdown

.forgejo/pull_request_template.md

@@ -0,0 +1,33 @@
+---
+
+name: "Pull Request Template"
+about: "Template for all Pull Requests"
+labels:
+
+- test/needed
+
+---
+
+## Checklist
+
+The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org).
+
+### Tests
+
+- I added test coverage for Go changes...
+  - [ ] in their respective `*_test.go` for unit tests.
+  - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server.
+- I added test coverage for JavaScript changes...
+  - [ ] in `web_src/js/*.test.js` if it can be unit tested.
+  - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)).
+
+### Documentation
+
+- [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change.
+- [ ] I did not document these changes and I do not expect someone else to do it.
+
+### Release notes
+
+- [ ] I do not want this change to show in the release notes.
+- [ ] I want the title to show in the release notes with a link to this pull request.
+- [ ] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title.

.forgejo/testdata/build-release/Dockerfile

@@ -1,4 +1,6 @@
-FROM code.forgejo.org/oci/alpine:3.19
+FROM data.forgejo.org/oci/alpine:3.21
 ARG RELEASE_VERSION=unkown
+LABEL maintainer="contact@forgejo.org" \
+      org.opencontainers.image.version="${RELEASE_VERSION}"
 RUN mkdir -p /app/gitea
 RUN ( echo '#!/bin/sh' ; echo "echo forgejo v$RELEASE_VERSION" ) > /app/gitea/gitea ; chmod +x /app/gitea/gitea

.forgejo/testdata/build-release/go.mod

@@ -0,0 +1,3 @@
+module forgejo.org
+
+go 1.23.3

.forgejo/workflows-composite/apt-install-from/action.yaml

@@ -0,0 +1,29 @@
+inputs:
+  packages:
+    description: 'Packages to install'
+    required: true
+  release:
+    description: 'Release to install from'
+    default: testing
+
+runs:
+  using: "composite"
+  steps:
+    - name: setup apt package source
+      run: |
+        export DEBIAN_FRONTEND=noninteractive
+        echo "deb http://deb.debian.org/debian/ ${RELEASE} main" > "/etc/apt/sources.list.d/${RELEASE}.list"
+      env:
+        RELEASE: ${{inputs.release}}
+    - name: install packages
+      run: |
+        apt-get update -qq
+        apt-get -q install -qq -y ${PACKAGES}
+      env:
+        PACKAGES: ${{inputs.packages}}
+    - name: remove temporary package list to prevent using it in other steps
+      run: |
+        rm "/etc/apt/sources.list.d/${RELEASE}.list"
+        apt-get update -qq
+      env:
+        RELEASE: ${{inputs.release}}

.forgejo/workflows-composite/build-backend/action.yaml

@@ -0,0 +1,15 @@
+runs:
+  using: "composite"
+  steps:
+    - run: |
+        su forgejo -c 'make deps-backend'
+    - uses: https://data.forgejo.org/actions/cache@v4
+      id: cache-backend
+      with:
+        path: ${{github.workspace}}/gitea
+        key: backend-build-${{ github.sha }}
+    - if: steps.cache-backend.outputs.cache-hit != 'true'
+      run: |
+        su forgejo -c 'make backend'
+      env:
+        TAGS: bindata

.forgejo/workflows-composite/setup-cache-go/action.yaml

@@ -0,0 +1,61 @@
+# SPDX-License-Identifier: MIT
+name: 'Forgejo Actions to setup Go and cache dependencies'
+author: 'Forgejo authors'
+description: |
+  Wrap the setup-go with improved dependency caching.
+inputs:
+  username:
+    description: 'User for which to manage the dependency cache'
+    default: root
+
+runs:
+  using: "composite"
+  steps:
+    - name: "Install zstd for faster caching"
+      run: |
+        apt-get update -qq
+        apt-get -q install -qq -y zstd
+
+    - name: "Set up Go using setup-go"
+      uses: https://data.forgejo.org/actions/setup-go@v5
+      id: go-version
+      with:
+        go-version-file: "go.mod"
+        # do not cache dependencies, we do this manually
+        cache: false
+
+    - name: "Get go environment information"
+      id: go-environment
+      run: |
+        chmod 755 $HOME # ensure ${RUN_AS_USER} has permission when go is located in $HOME
+        export GOROOT="$(go env GOROOT)"
+        echo "modcache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOMODCACHE')" >> "$GITHUB_OUTPUT"
+        echo "cache=$(su ${RUN_AS_USER} -c '${GOROOT}/bin/go env GOCACHE')" >> "$GITHUB_OUTPUT"
+      env:
+        RUN_AS_USER: ${{ inputs.username }}
+        GO_VERSION: ${{ steps.go-version.outputs.go-version }}
+
+    - name: "Create cache folders with correct permissions (for non-root users)"
+      if: inputs.username != 'root'
+      # when the cache is restored, only the permissions of the last part are restored
+      # so assuming that /home/user exists and we are restoring /home/user/go/pkg/mod,
+      # both folders will have the correct permissions, but
+      # /home/user/go and /home/user/go/pkg might be owned by root
+      run: |
+        su ${RUN_AS_USER} -c 'mkdir -p "${MODCACHE_DIR}" "${CACHE_DIR}"'
+      env:
+        RUN_AS_USER: ${{ inputs.username }}
+        MODCACHE_DIR: ${{ steps.go-environment.outputs.modcache }}
+        CACHE_DIR: ${{ steps.go-environment.outputs.cache }}
+
+    - name: "Restore Go dependencies from cache or mark for later caching"
+      id: cache-deps
+      uses: https://data.forgejo.org/actions/cache@v4
+      with:
+        key: setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-${{ hashFiles('go.sum', 'go.mod') }}
+        restore-keys: |
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-${{ steps.go-version.outputs.go_version }}-
+          setup-cache-go-deps-${{ runner.os }}-${{ inputs.username }}-
+        path: |
+          ${{ steps.go-environment.outputs.modcache }}
+          ${{ steps.go-environment.outputs.cache }}

.forgejo/workflows-composite/setup-env/action.yaml

@@ -0,0 +1,25 @@
+# TODO:
+# - [ ] prepare a forgejo ci image with the necessary tools and forgejo user
+runs:
+  using: "composite"
+  steps:
+    - name: setup user and permissions
+      run: |
+        git config --add safe.directory '*'
+        # ignore if the user already exists (like with the playwright image)
+        adduser --quiet --comment forgejo --disabled-password forgejo || true
+        chown -R forgejo:forgejo .
+
+    - uses: ./.forgejo/workflows-composite/setup-cache-go
+      with:
+        username: forgejo
+
+    - name: validate go version
+      run: |
+        set -ex
+        toolchain=$(grep -oP '(?<=toolchain ).+' go.mod)
+        version=$(go version | cut -d' ' -f3)
+        if dpkg --compare-versions ${version#go} lt ${toolchain#go}; then
+          echo "go version too low: $toolchain >= $version"
+          exit 1
+        fi

.forgejo/workflows/backport.yml

@@ -22,6 +22,8 @@
 #    `backport/v1.21` label on a merged pull request that can be backported
 #    without conflict.
 #
+name: issue-labels
+
 on:
   pull_request_target:
     types:
@@ -31,57 +33,29 @@ on:
 jobs:
   backporting:
     if: >
-      !startsWith(vars.ROLE, 'forgejo-') && (
+      ( vars.ROLE == 'forgejo-coding' ) && (
         github.event.pull_request.merged
-        && (
-          (
-            github.event.action == 'closed' &&
-            contains(toJSON(github.event.pull_request.labels), 'backport/v')
-          )
-          ||
-          (
-            github.event.action == 'labeled' &&
-            contains(github.event.label.name, 'backport/v')
-          )
-        )
+        &&
+        contains(toJSON(github.event.pull_request.labels), 'backport/v')
       )
     runs-on: docker
     container:
-      image: 'docker.io/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
     steps:
-      - name: Fetch labels
-        id: fetch-labels
-        shell: bash
+      - name: event info
         run: |
-          set -x
-          echo "Labels retrieved below"
-          export DEBIAN_FRONTEND=noninteractive
-          apt-get update -qq
-          apt-get -q install -qq -y jq
-          filtered_labels=$(echo "$LABELS" | jq -c 'map(select(.name | startswith("backport/v")))')
-          echo "FILTERED_LABELS=${filtered_labels}" >> $GITHUB_ENV
-        env:
-          LABELS: ${{ toJSON(github.event.pull_request.labels) }}
-      - name: Extract targets
-        id: extract-targets
-        shell: bash
-        run: |
-          set -x
-          targets="$(echo $FILTERED_LABELS | jq -c '[.[] | .name | sub("backport/"; "")]')"
-          echo "targets=$(echo $targets)" >> $GITHUB_OUTPUT
-
-      - name: Printing info
-        shell: bash
-        run: |
-          echo "targets: ${{ steps.extract-targets.outputs.targets }}"
-          echo "target-branch: ${{ fromJSON(steps.extract-targets.outputs.targets)[0] }}"
-          echo "pull-request: ${{ github.event.pull_request.url }}"
-
-      - uses: https://code.forgejo.org/actions/git-backporting@v4.6.0
+          cat <<'EOF'
+          ${{ toJSON(github) }}
+          EOF
+      - uses: https://data.forgejo.org/actions/git-backporting@v4.8.5
         with:
-          target-branch: ${{ fromJSON(steps.extract-targets.outputs.targets)[0] }}/forgejo
+          target-branch-pattern: "^backport/(?<target>(v.*))$"
           strategy: ort
           strategy-option: find-renames
-          no-squash: true
+          cherry-pick-options: -x
           auth: ${{ secrets.BACKPORT_TOKEN }}
           pull-request: ${{ github.event.pull_request.url }}
+          auto-no-squash: true
+          enable-err-notification: true
+          git-user: forgejo-backport-action
+          git-email: forgejo-backport-action@noreply.codeberg.org

.forgejo/workflows/build-release-integration.yml

@@ -22,13 +22,13 @@ on:
 
 jobs:
   release-simulation:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
-    runs-on: self-hosted
+    if: vars.ROLE == 'forgejo-coding'
+    runs-on: lxc-bookworm
     steps:
-      - uses: actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
 
       - id: forgejo
-        uses: https://code.forgejo.org/actions/setup-forgejo@v1
+        uses: https://data.forgejo.org/actions/setup-forgejo@v2.0.4
         with:
           user: root
           password: admin1234

.forgejo/workflows/build-release.yml

@@ -1,5 +1,5 @@
 #
-# See also https://forgejo.org/docs/next/developer/RELEASE/#release-process
+# See also https://forgejo.org/docs/next/contributor/release/#stable-release-process
 #
 # https://codeberg.org/forgejo-integration/forgejo
 #
@@ -14,6 +14,12 @@
 #  secrets.CASCADE_DESTINATION_TOKEN: <generated from code.forgejo.org/forgejo-ci> scope read:user, write:repository, write:issue
 #  vars.CASCADE_DESTINATION_DOER: forgejo-ci
 #
+#  vars.SKIP_END_TO_END: `true` or `false`
+#    It must be `false` (or absent) so https://code.forgejo.org/forgejo/end-to-end is run
+#    with the newly built release.
+#    It must be set to `true` when a release is missing, for instance because it was
+#    removed and failed to upload.
+#
 on:
   push:
     tags: 'v[0-9]+.[0-9]+.*'
@@ -23,11 +29,11 @@ on:
 
 jobs:
   release:
-    runs-on: self-hosted
+    runs-on: lxc-bookworm
     # root is used for testing, allow it
     if: vars.ROLE == 'forgejo-integration' || github.repository_owner == 'root'
     steps:
-      - uses: actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
         with:
           fetch-depth: 0
 
@@ -37,14 +43,13 @@ jobs:
           repository="${{ github.repository }}"
           echo "value=${repository##*/}" >> "$GITHUB_OUTPUT"
 
-      - uses: https://code.forgejo.org/actions/setup-node@v3
+      - uses: https://data.forgejo.org/actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
 
-      - uses: https://code.forgejo.org/actions/setup-go@v4
+      - uses: https://data.forgejo.org/actions/setup-go@v5
         with:
-          go-version: "1.22"
-          check-latest: true
+          go-version-file: "go.mod"
 
       - name: version from ref
         id: release-info
@@ -88,7 +93,7 @@ jobs:
 
       - name: cache node_modules
         id: node
-        uses: https://code.forgejo.org/actions/cache@v3
+        uses: https://data.forgejo.org/actions/cache@v4
         with:
           path: |
             node_modules
@@ -159,7 +164,7 @@ jobs:
 
       - name: build container & release
         if: ${{ secrets.TOKEN != '' }}
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v3
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.4
         with:
           forgejo: "${{ env.GITHUB_SERVER_URL }}"
           owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@@ -173,11 +178,12 @@ jobs:
           binary-name: forgejo
           binary-path: /app/gitea/gitea
           override: "${{ steps.release-info.outputs.override }}"
+          verify-labels: "maintainer=contact@forgejo.org,org.opencontainers.image.version=${{ steps.release-info.outputs.version }}"
           verbose: ${{ vars.VERBOSE || secrets.VERBOSE || 'false' }}
 
       - name: build rootless container
         if: ${{ secrets.TOKEN != '' }}
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/build@v3
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/build@v5.3.4
         with:
           forgejo: "${{ env.GITHUB_SERVER_URL }}"
           owner: "${{ env.GITHUB_REPOSITORY_OWNER }}"
@@ -190,11 +196,12 @@ jobs:
           suffix: -rootless
           dockerfile: Dockerfile.rootless
           override: "${{ steps.release-info.outputs.override }}"
+          verify-labels: "maintainer=contact@forgejo.org,org.opencontainers.image.version=${{ steps.release-info.outputs.version }}"
           verbose: ${{ vars.VERBOSE || secrets.VERBOSE || 'false' }}
 
       - name: end-to-end tests
-        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' }}
-        uses: https://code.forgejo.org/actions/cascading-pr@v2
+        if: ${{ secrets.TOKEN != '' && vars.ROLE == 'forgejo-integration' && vars.SKIP_END_TO_END != 'true' }}
+        uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
         with:
           origin-url: ${{ env.GITHUB_SERVER_URL }}
           origin-repo: ${{ github.repository }}

.forgejo/workflows/cascade-setup-end-to-end.yml

@@ -12,8 +12,10 @@
 #    whatever is in the default branch instead
 #
 #  - after it is merged, double check it works by setting the
-#    run-end-to-end-test on a pull request (any pull request will doe
+#    run-end-to-end-test on a pull request (any pull request will do)
 #
+name: issue-labels
+
 on:
   push:
     branches:
@@ -23,42 +25,23 @@ on:
       - labeled
 
 jobs:
-  info:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
-    runs-on: docker
-    container:
-      image: node:20-bookworm
-    steps:
-      - name: event
-        run: |
-          echo github.event.pull_request.head.repo.fork = ${{ github.event.pull_request.head.repo.fork }}
-          echo github.event.action = ${{ github.event.action }}
-          echo github.event.pull_request.merged = ${{ github.event.pull_request.merged }}
-          echo github.event.pull_request.labels.*.name
-          cat <<'EOF'
-          ${{ toJSON(github.event.pull_request.labels.*.name) }}
-          EOF
-          cat <<'EOF'
-          ${{ toJSON(github.event) }}
-          EOF
-
   cascade:
     if: >
-      !startsWith(vars.ROLE, 'forgejo-') && (
+      vars.ROLE == 'forgejo-coding' && (
         github.event_name == 'push' ||
         (
-          github.event.action == 'label_updated' && contains(github.event.pull_request.labels.*.name, 'run-end-to-end-tests')
+          github.event.action == 'label_updated' && github.event.label.name == 'run-end-to-end-tests'
         )
       )
     runs-on: docker
     container:
-      image: node:20-bookworm
+      image: data.forgejo.org/oci/node:22-bookworm
     steps:
-      - uses: actions/checkout@v4
+      - uses: https://data.forgejo.org/actions/checkout@v4
         with:
           fetch-depth: '0'
           show-progress: 'false'
-      - uses: actions/cascading-pr@v2
+      - uses: https://data.forgejo.org/actions/cascading-pr@v2.2.0
         with:
           origin-url: ${{ env.GITHUB_SERVER_URL }}
           origin-repo: ${{ github.repository }}

.forgejo/workflows/e2e.yml

@@ -1,37 +0,0 @@
-name: e2e
-
-on:
-  pull_request:
-    paths:
-      - Makefile
-      - .forgejo/workflows/e2e.yml
-      - tests/e2e/**
-
-jobs:
-  test-e2e:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
-    runs-on: docker
-    container:
-      image: 'docker.io/node:20-bookworm'
-    steps:
-      - uses: https://code.forgejo.org/actions/checkout@v4
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version: "1.22"
-          check-latest: true
-      - run: |
-          apt-get -qq update
-          apt-get -qq install -q sudo
-          sed -i -e 's/%sudo.*/%sudo   ALL=(ALL:ALL) NOPASSWD:ALL/' /etc/sudoers
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          adduser forgejo sudo
-          chown -R forgejo:forgejo .
-      - run: |
-          su forgejo -c 'make deps-frontend frontend deps-backend'
-      - run: |
-          su forgejo -c 'make generate test-e2e-sqlite'
-        timeout-minutes: 40
-        env:
-          DEPS_PLAYWRIGHT: 1
-          USE_REPO_TEST_DIR: 1

.forgejo/workflows/forgejo-integration-cleanup.yml

@@ -0,0 +1,39 @@
+on:
+  workflow_dispatch:
+
+  schedule:
+    - cron: '@daily'
+
+jobs:
+  integration-cleanup:
+    if: vars.ROLE == 'forgejo-integration'
+    runs-on: docker
+    container:
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+    steps:
+
+      - name: apt install curl jq
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get -q install -qq -y curl jq
+
+      - name: remove old releases and tags
+        run: |
+          url=https://any:${{ secrets.TOKEN }}@codeberg.org
+          curl -sS "$url/api/v1/repos/forgejo-integration/forgejo/releases" | jq -r '.[] | "\(.published_at) \(.tag_name)"' | sort  | while read published_at version ; do
+            if echo $version | grep -e '-test$' >/dev/null; then
+              old="18 months"
+            else
+              old="1 day"
+            fi
+            too_old=$(env -i date --date="- $old" +%F)
+            too_old_seconds=$(env -i date --date="- $old" +%s)
+            published_at_seconds=$(env -i date --date="$published_at" +%s)
+            if test $published_at_seconds -le $too_old_seconds ; then
+              echo "$version was published more than $old ago ($published_at <= $too_old) and will be removed"
+              curl -X DELETE -sS "$url/api/v1/repos/forgejo-integration/forgejo/releases/tags/$version"
+            else
+              echo "$version was published less than $old ago"
+            fi
+          done

.forgejo/workflows/merge-requirements.yml

@@ -0,0 +1,45 @@
+# Copyright 2024 The Forgejo Authors
+# SPDX-License-Identifier: MIT
+
+name: requirements
+
+on:
+  pull_request:
+    types:
+      - labeled
+      - edited
+      - opened
+      - synchronize
+
+jobs:
+  merge-conditions:
+    if: vars.ROLE == 'forgejo-coding'
+    runs-on: docker
+    container:
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+    steps:
+      - name: Debug output
+        run: |
+          cat <<'EOF'
+          ${{ toJSON(github) }}
+          EOF
+      - name: Missing test label
+        if: >
+          !(
+            contains(toJSON(github.event.pull_request.labels), 'test/present')
+            || contains(toJSON(github.event.pull_request.labels), 'test/not-needed')
+            || contains(toJSON(github.event.pull_request.labels), 'test/manual')
+          )
+        run: |
+          echo "A team member must set the label to either 'present', 'not-needed' or 'manual'."
+          exit 1
+      - name: Missing manual test instructions
+        if: >
+          (
+            contains(toJSON(github.event.pull_request.labels), 'test/manual')
+            && !contains(toJSON(github.event.pull_request.body), '# Test')
+          )
+        run: |
+          echo "Manual test label is set. The PR description needs to contain test steps introduced by a heading like:"
+          echo "# Testing"
+          exit 1

.forgejo/workflows/milestone.yml

@@ -0,0 +1,24 @@
+# Copyright 2024 The Forgejo Authors
+# SPDX-License-Identifier: MIT
+#
+name: milestone
+
+on:
+  pull_request_target:
+    types:
+      - closed
+
+jobs:
+  set:
+    if: vars.ROLE == 'forgejo-coding' && github.event.pull_request.merged
+    runs-on: docker
+    container:
+      image: 'data.forgejo.org/oci/ci:1'
+    steps:
+      - uses: https://data.forgejo.org/forgejo/set-milestone@v1.0.0
+        with:
+          forgejo: https://codeberg.org
+          repository: forgejo/forgejo
+          token: ${{ secrets.SET_MILESTONE_TOKEN }}
+          pr-number: ${{ github.event.pull_request.number }}
+          verbose: ${{ vars.SET_MILESTONE_VERBOSE }}

.forgejo/workflows/mirror.yml

@@ -1,6 +1,8 @@
 name: mirror
 
 on:
+  workflow_dispatch:
+
   schedule:
     - cron: '@daily'
 
@@ -9,7 +11,7 @@ jobs:
     if: ${{ secrets.MIRROR_TOKEN != '' }}
     runs-on: docker
     container:
-      image: 'docker.io/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
     steps:
       - name: git push {v*/,}forgejo
         run: |

.forgejo/workflows/publish-release.yml

@@ -1,6 +1,8 @@
 # SPDX-License-Identifier: MIT
 #
-# See also https://forgejo.org/docs/next/developer/RELEASE/#release-process
+# See also https://forgejo.org/docs/next/contributor/release/#stable-release-process
+#
+# TOKEN_NEXT_DIGEST is a token with write repository access to https://invisible.forgejo.org/infrastructure/next-digest issued by https://invisible.forgejo.org/forgejo-next-digest
 #
 # https://codeberg.org/forgejo-experimental/forgejo
 #
@@ -14,7 +16,7 @@
 #  vars.DOER: forgejo-experimental-ci
 #  secrets.TOKEN: <generated from codeberg.org/forgejo-experimental-ci>
 #
-# http://private.forgejo.org/forgejo/forgejo
+# http://invisible.forgejo.org/forgejo/forgejo
 #
 #  Copies & sign a release from codeberg.org/forgejo-integration to codeberg.org/forgejo
 #
@@ -36,20 +38,20 @@ on:
 
 jobs:
   publish:
-    runs-on: self-hosted
+    runs-on: lxc-bookworm
     if: vars.DOER != '' && vars.FORGEJO != '' && vars.TO_OWNER != '' && vars.FROM_OWNER != '' && secrets.TOKEN != ''
     steps:
-      - uses: actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
 
       - name: copy & sign
-        uses: https://code.forgejo.org/forgejo/forgejo-build-publish/publish@v4
+        uses: https://data.forgejo.org/forgejo/forgejo-build-publish/publish@v5.3.4
         with:
           from-forgejo: ${{ vars.FORGEJO }}
           to-forgejo: ${{ vars.FORGEJO }}
           from-owner: ${{ vars.FROM_OWNER }}
           to-owner: ${{ vars.TO_OWNER }}
           repo: ${{ vars.REPO }}
-          release-notes: "See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/RELEASE-NOTES.md#{ANCHOR}"
+          release-notes: "See https://codeberg.org/forgejo/forgejo/src/branch/forgejo/release-notes-published/{VERSION}.md"
           ref-name: ${{ github.ref_name }}
           sha: ${{ github.sha }}
           from-token: ${{ secrets.TOKEN }}
@@ -59,21 +61,28 @@ jobs:
           gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }}
           verbose: ${{ vars.VERBOSE }}
 
+      - name: get trigger mirror issue
+        id: mirror
+        uses: https://data.forgejo.org/infrastructure/issue-action/get@v1.3.0
+        with:
+          forgejo: https://code.forgejo.org
+          repository: forgejo/forgejo
+          labels: mirror-trigger
 
-      - name: set up go for the DNS update below
-        if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != ''
-        uses: https://code.forgejo.org/actions/setup-go@v4
+      - name: trigger the mirror
+        uses: https://data.forgejo.org/infrastructure/issue-action/set@v1.3.0
         with:
-          go-version: "1.22"
-          check-latest: true
-      - name: update the _release.experimental DNS record
-        if: vars.ROLE == 'forgejo-experimental' && secrets.OVH_APP_KEY != ''
-        uses: https://code.forgejo.org/actions/ovh-dns-update@v1
+          forgejo: https://code.forgejo.org
+          repository: forgejo/forgejo
+          token: ${{ secrets.LABEL_ISSUE_FORGEJO_MIRROR_TOKEN }}
+          numbers: ${{ steps.mirror.outputs.numbers }}
+          label-wait-if-exists: 3600
+          label: trigger
+
+      - name: upgrade v*.next.forgejo.org
+        uses: https://data.forgejo.org/infrastructure/next-digest@v1.1.0
         with:
-          subdomain: _release.experimental
-          domain: forgejo.com # there is a CNAME from .org to .com (for security reasons)
-          record-id: 5283602601
-          value: v=${{ github.ref_name }}
-          ovh-app-key: ${{ secrets.OVH_APP_KEY }}
-          ovh-app-secret: ${{ secrets.OVH_APP_SECRET }}
-          ovh-consumer-key: ${{ secrets.OVH_CON_KEY }}
+          url: https://placeholder:${{ secrets.TOKEN_NEXT_DIGEST }}@invisible.forgejo.org/infrastructure/next-digest
+          ref_name: '${{ github.ref_name }}'
+          image: 'codeberg.org/forgejo-experimental/forgejo'
+          tag_suffix: '-rootless'

.forgejo/workflows/release-notes-assistant-milestones.yml

@@ -0,0 +1,36 @@
+on:
+  workflow_dispatch:
+
+  schedule:
+    - cron: '@daily'
+
+env:
+  RNA_VERSION: v1.2.5 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+
+jobs:
+  release-notes:
+    if: vars.ROLE == 'forgejo-coding'
+    runs-on: docker
+    container:
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+    steps:
+      - uses: https://data.forgejo.org/actions/checkout@v4
+
+      - uses: https://data.forgejo.org/actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+      - name: apt install jq
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get -q install -y -qq jq
+
+      - name: update open milestones
+        run: |
+          set -x
+          curl -sS $GITHUB_SERVER_URL/api/v1/repos/$GITHUB_REPOSITORY/milestones?state=open | jq -r '.[] | .title' | while read forgejo version ; do
+            milestone="$forgejo $version"
+            go run code.forgejo.org/forgejo/release-notes-assistant@$RNA_VERSION --config .release-notes-assistant.yaml --storage milestone --storage-location "$milestone"  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} release $version
+          done

.forgejo/workflows/release-notes-assistant.yml

@@ -0,0 +1,44 @@
+name: issue-labels
+
+on:
+  pull_request_target:
+    types:
+      - edited
+      - synchronize
+      - labeled
+
+env:
+  RNA_VERSION: v1.2.5 # renovate: datasource=gitea-releases depName=forgejo/release-notes-assistant registryUrl=https://code.forgejo.org
+
+jobs:
+  release-notes:
+    if: ( vars.ROLE == 'forgejo-coding' ) && contains(github.event.pull_request.labels.*.name, 'worth a release-note')
+    runs-on: docker
+    container:
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+    steps:
+      - uses: https://data.forgejo.org/actions/checkout@v4
+
+      - name: event
+        run: |
+          cat <<'EOF'
+          ${{ toJSON(github.event.pull_request.labels.*.name) }}
+          EOF
+          cat <<'EOF'
+          ${{ toJSON(github.event) }}
+          EOF
+
+      - uses: https://data.forgejo.org/actions/setup-go@v5
+        with:
+          go-version-file: "go.mod"
+          cache: false
+
+      - name: apt install jq
+        run: |
+          export DEBIAN_FRONTEND=noninteractive
+          apt-get update -qq
+          apt-get -q install -y -qq jq
+
+      - name: release-notes-assistant preview
+        run: |
+          go run code.forgejo.org/forgejo/release-notes-assistant@$RNA_VERSION --config .release-notes-assistant.yaml --storage pr --storage-location ${{ github.event.pull_request.number }}  --forgejo-url $GITHUB_SERVER_URL --repository $GITHUB_REPOSITORY --token ${{ secrets.RELEASE_NOTES_ASSISTANT_TOKEN }} preview ${{ github.event.pull_request.number }}

.forgejo/workflows/renovate.yml

@@ -1,34 +1,49 @@
+#
+# Runs every 2 hours, but Renovate is limited to create new PR before 4am.
+# See renovate.json for more settings.
+# Automerge is enabled for Renovate PR's but need to be approved before.
+#
 name: renovate
 
 on:
   push:
     branches:
-      - 'renovate/**' # self-test updates
+      - renovate/** # self-test updates
+    paths:
+      - .forgejo/workflows/renovate.yml
   schedule:
-    - cron: '*/30 * * * *'
+    - cron: '0 0/2 * * *'
+  workflow_dispatch:
 
 env:
   RENOVATE_DRY_RUN: ${{ (github.event_name != 'schedule' && github.ref_name != github.event.repository.default_branch) && 'full' || '' }}
   RENOVATE_REPOSITORIES: ${{ github.repository }}
+  # fix because 10.0.0-58-7e1df53+gitea-1.22.0 < 10.0.0 for semver
+  # and codeberg api returns such versions from `git describe --tags`
+  # RENOVATE_X_PLATFORM_VERSION: 10.0.0+gitea-1.22.0 currently not needed
 
 jobs:
   renovate:
-    if: ${{ secrets.RENOVATE_TOKEN != '' }}
+    if: vars.ROLE == 'forgejo-coding' && secrets.RENOVATE_TOKEN != ''
 
     runs-on: docker
     container:
-      image: ghcr.io/visualon/renovate:37.272.0
+      image: data.forgejo.org/renovate/renovate:40.11.19
 
     steps:
-      - uses: https://code.forgejo.org/actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+      - name: Load renovate repo cache
+        uses: https://data.forgejo.org/actions/cache/restore@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: |
             .tmp/cache/renovate/repository
+            .tmp/cache/renovate/renovate-cache-sqlite
+            .tmp/osv
           key: repo-cache-${{ github.run_id }}
           restore-keys: |
             repo-cache-
 
-      - run: renovate
+      - name: Run renovate
+        run: renovate
         env:
           GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
           LOG_LEVEL: debug
@@ -39,15 +54,21 @@ jobs:
           RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
           RENOVATE_GIT_AUTHOR: 'Renovate Bot <forgejo-renovate-action@forgejo.org>'
 
+          RENOVATE_X_SQLITE_PACKAGE_CACHE: true
+
           GIT_AUTHOR_NAME: 'Renovate Bot'
           GIT_AUTHOR_EMAIL: 'forgejo-renovate-action@forgejo.org'
           GIT_COMMITTER_NAME: 'Renovate Bot'
           GIT_COMMITTER_EMAIL: 'forgejo-renovate-action@forgejo.org'
 
+          OSV_OFFLINE_ROOT_DIR: ${{ github.workspace }}/.tmp/osv
+
       - name: Save renovate repo cache
-        if: always() && env.RENOVATE_DRY_RUN == 'true'
-        uses: https://code.forgejo.org/actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        if: always() && env.RENOVATE_DRY_RUN != 'full'
+        uses: https://data.forgejo.org/actions/cache/save@3624ceb22c1c5a301c8db4169662070a689d9ea8 # v4.1.1
         with:
           path: |
             .tmp/cache/renovate/repository
+            .tmp/cache/renovate/renovate-cache-sqlite
+            .tmp/osv
           key: repo-cache-${{ github.run_id }}

.forgejo/workflows/testing.yml

@@ -6,206 +6,282 @@ on:
     branches:
       - 'forgejo*'
       - 'v*/forgejo*'
+  workflow_dispatch:
 
 jobs:
   backend-checks:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     container:
-      image: 'docker.io/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version: "1.22"
-          check-latest: true
-      - run: make deps-backend deps-tools
-      - run: make --always-make -j$(nproc) lint-backend checks-backend # ensure the "go-licenses" make target runs
+      - name: event info
+        run: |
+          cat <<'EOF'
+          ${{ toJSON(github) }}
+          EOF
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - run: su forgejo -c 'make deps-backend deps-tools'
+      - run: su forgejo -c 'make --always-make -j$(nproc) lint-backend tidy-check swagger-check lint-swagger fmt-check swagger-validate' # ensure the "go-licenses" make target runs
+      - uses: ./.forgejo/workflows-composite/build-backend
   frontend-checks:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     container:
-      image: 'docker.io/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
+      - uses: https://data.forgejo.org/actions/checkout@v4
       - run: make deps-frontend
       - run: make lint-frontend
       - run: make checks-frontend
-      - run: make test-frontend
+      - run: make test-frontend-coverage
       - run: make frontend
+      - name: Install zstd for cache saving
+        # works around https://github.com/actions/cache/issues/1169, because the
+        # consuming job has zstd and doesn't restore the cache otherwise
+        run: |
+          apt-get update -qq
+          apt-get -q install -qq -y zstd
+      - name: "Cache frontend build for playwright testing"
+        uses: https://data.forgejo.org/actions/cache/save@v4
+        with:
+          path: ${{github.workspace}}/public/assets
+          key: frontend-build-${{ github.sha }}
   test-unit:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     needs: [backend-checks, frontend-checks]
     container:
-      image: 'docker.io/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
     services:
+      elasticsearch:
+        image: data.forgejo.org/oci/bitnami/elasticsearch:7
+        options: --tmpfs /bitnami/elasticsearch/data
+        env:
+          discovery.type: single-node
+          ES_JAVA_OPTS: "-Xms512m -Xmx512m"
       minio:
-        image: bitnami/minio:2024.2.26
+        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
         options: >-
-          --hostname gitea.minio
+          --hostname gitea.minio --tmpfs /bitnami/minio/data:noatime
         env:
           MINIO_DOMAIN: minio
           MINIO_ROOT_USER: 123456
           MINIO_ROOT_PASSWORD: 12345678
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version: "1.22"
-      - run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
       - name: install git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git
+      - name: test release-notes-assistant.sh
         run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get -q install -qq -y git
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata
+          apt-get -q install -qq -y jq
+          ./release-notes-assistant.sh test_main
+      - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-backend test-check'
-        timeout-minutes: 50
+        timeout-minutes: 120
         env:
           RACE_ENABLED: 'true'
           TAGS: bindata
-  test-mysql:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+          TEST_ELASTICSEARCH_URL: http://elasticsearch:9200
+  test-e2e:
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     needs: [backend-checks, frontend-checks]
     container:
-      image: 'docker.io/node:20-bookworm'
+      image: 'data.forgejo.org/oci/playwright:latest'
+      options: --tmpfs /tmp:exec,noatime
+    steps:
+      - uses: https://data.forgejo.org/actions/checkout@v4
+        with:
+          fetch-depth: 20
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - name: "Restore frontend build"
+        uses: https://data.forgejo.org/actions/cache/restore@v4
+        id: cache-frontend
+        with:
+          path: ${{github.workspace}}/public/assets
+          key: frontend-build-${{ github.sha }}
+      - name: "Build frontend (if not cached)"
+        if: steps.cache-frontend.outputs.cache-hit != 'true'
+        run: |
+          su forgejo -c 'make deps-frontend frontend'
+      - uses: ./.forgejo/workflows-composite/build-backend
+      - name: Get changed files
+        id: changed-files
+        uses: https://data.forgejo.org/tj-actions/changed-files@v46
+        with:
+          separator: '\n'
+      - run: |
+          su forgejo -c 'make generate test-e2e-sqlite'
+        timeout-minutes: 120
+        env:
+          USE_REPO_TEST_DIR: 1
+          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+          CHANGED_FILES: ${{steps.changed-files.outputs.all_changed_files}}
+      - name: Upload test artifacts on failure
+        if: failure()
+        uses: https://data.forgejo.org/forgejo/upload-artifact@v4
+        with:
+          name: test-artifacts.zip
+          path: tests/e2e/test-artifacts/
+          retention-days: 3
+  test-remote-cacher:
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
+    runs-on: docker
+    needs: [backend-checks, frontend-checks, test-unit]
+    container:
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
+    name: ${{ format('test-remote-cacher ({0})', matrix.cacher.name) }}
+    strategy:
+      matrix:
+        cacher:
+          - name: redis
+            image: data.forgejo.org/oci/bitnami/redis:7.2
+            options: --tmpfs /bitnami/redis/data:noatime
+          - name: redict
+            image: registry.redict.io/redict:7.3.0-scratch
+            options: --tmpfs /data:noatime
+          - name: valkey
+            image: data.forgejo.org/oci/bitnami/valkey:7.2
+            options: --tmpfs /bitnami/redis/data:noatime
+          - name: garnet
+            image: ghcr.io/microsoft/garnet-alpine:1.0.14
+            options: --tmpfs /data:noatime
+    services:
+      cacher:
+        image: ${{ matrix.cacher.image }}
+        options: ${{ matrix.cacher.options }}
+    steps:
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - name: install git >= 2.42
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git
+      - uses: ./.forgejo/workflows-composite/build-backend
+      - run: |
+          su forgejo -c 'make test-remote-cacher test-check'
+        timeout-minutes: 120
+        env:
+          RACE_ENABLED: 'true'
+          TAGS: bindata
+          TEST_REDIS_SERVER: cacher:${{ matrix.cacher.port }}
+  test-mysql:
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
+    runs-on: docker
+    needs: [backend-checks, frontend-checks]
+    container:
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
     services:
       mysql:
-        image: 'docker.io/mysql:8-debian'
+        image: 'data.forgejo.org/oci/bitnami/mysql:8.4'
         env:
-          MYSQL_ALLOW_EMPTY_PASSWORD: yes
+          ALLOW_EMPTY_PASSWORD: yes
           MYSQL_DATABASE: testgitea
-        #
-        # See also https://codeberg.org/forgejo/forgejo/issues/976
-        #
-        cmd: ['mysqld', '--innodb-adaptive-flushing=OFF', '--innodb-buffer-pool-size=4G', '--innodb-log-buffer-size=128M', '--innodb-flush-log-at-trx-commit=0', '--innodb-flush-log-at-timeout=30', '--innodb-flush-method=nosync', '--innodb-fsync-threshold=1000000000']
+          #
+          # See also https://codeberg.org/forgejo/forgejo/issues/976
+          #
+          MYSQL_EXTRA_FLAGS: --innodb-adaptive-flushing=OFF --innodb-buffer-pool-size=4G --innodb-log-buffer-size=128M --innodb-flush-log-at-trx-commit=0 --innodb-flush-log-at-timeout=30 --innodb-flush-method=nosync --innodb-fsync-threshold=1000000000 --disable-log-bin
+        options: --tmpfs /bitnami/mysql/data:noatime
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version: "1.22"
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
       - name: install dependencies & git >= 2.42
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get install --no-install-recommends -qq -y git git-lfs
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-      - name: setup user and permissions
-        run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git git-lfs
+      - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-mysql-migration test-mysql'
-        timeout-minutes: 50
+        timeout-minutes: 120
         env:
-          TAGS: bindata
           USE_REPO_TEST_DIR: 1
   test-pgsql:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     needs: [backend-checks, frontend-checks]
     container:
-      image: 'docker.io/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
     services:
       minio:
-        image: bitnami/minio:2024.2.26
+        image: data.forgejo.org/oci/bitnami/minio:2024.8.17
         env:
           MINIO_ROOT_USER: 123456
           MINIO_ROOT_PASSWORD: 12345678
+        options: --tmpfs /bitnami/minio/data
+      ldap:
+        image: data.forgejo.org/oci/test-openldap:latest
       pgsql:
-        image: 'docker.io/postgres:15'
+        image: data.forgejo.org/oci/bitnami/postgresql:16
         env:
-          POSTGRES_DB: test
-          POSTGRES_PASSWORD: postgres
+          POSTGRESQL_DATABASE: test
+          POSTGRESQL_PASSWORD: postgres
+          POSTGRESQL_FSYNC: off
+          POSTGRESQL_EXTRA_FLAGS: -c full_page_writes=off
+        options: --tmpfs /bitnami/postgresql
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version: "1.22"
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
       - name: install dependencies & git >= 2.42
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get install --no-install-recommends -qq -y git git-lfs
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-      - name: setup user and permissions
-        run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git git-lfs
+      - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-pgsql-migration test-pgsql'
-        timeout-minutes: 50
+        timeout-minutes: 120
         env:
-          TAGS: bindata
           RACE_ENABLED: true
           USE_REPO_TEST_DIR: 1
+          TEST_LDAP: 1
   test-sqlite:
-    if: ${{ !startsWith(vars.ROLE, 'forgejo-') }}
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
     runs-on: docker
     needs: [backend-checks, frontend-checks]
     container:
-      image: 'docker.io/node:20-bookworm'
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
     steps:
-      - uses: https://code.forgejo.org/actions/checkout@v3
-      - uses: https://code.forgejo.org/actions/setup-go@v4
-        with:
-          go-version: "1.22"
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
       - name: install dependencies & git >= 2.42
-        run: |
-          export DEBIAN_FRONTEND=noninteractive
-          echo deb http://deb.debian.org/debian/ testing  main > /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-          apt-get install --no-install-recommends -qq -y git git-lfs
-          rm /etc/apt/sources.list.d/testing.list
-          apt-get update -qq
-      - name: setup user and permissions
-        run: |
-          git config --add safe.directory '*'
-          adduser --quiet --comment forgejo --disabled-password forgejo
-          chown -R forgejo:forgejo .
-      - run: |
-          su forgejo -c 'make deps-backend'
-      - run: |
-          su forgejo -c 'make backend'
-        env:
-          TAGS: bindata sqlite sqlite_unlock_notify
+        uses: ./.forgejo/workflows-composite/apt-install-from
+        with:
+          packages: git git-lfs
+      - uses: ./.forgejo/workflows-composite/build-backend
       - run: |
           su forgejo -c 'make test-sqlite-migration test-sqlite'
-        timeout-minutes: 50
+        timeout-minutes: 120
         env:
-          TAGS: bindata sqlite sqlite_unlock_notify
+          TAGS: sqlite sqlite_unlock_notify
           RACE_ENABLED: true
           TEST_TAGS: sqlite sqlite_unlock_notify
           USE_REPO_TEST_DIR: 1
+  security-check:
+    if: vars.ROLE == 'forgejo-coding' || vars.ROLE == 'forgejo-testing'
+    runs-on: docker
+    needs:
+      - test-sqlite
+      - test-pgsql
+      - test-mysql
+      - test-remote-cacher
+      - test-unit
+    container:
+      image: 'data.forgejo.org/oci/node:22-bookworm'
+      options: --tmpfs /tmp:exec,noatime
+    steps:
+      - uses: https://data.forgejo.org/actions/checkout@v4
+      - uses: ./.forgejo/workflows-composite/setup-env
+      - run: su forgejo -c 'make deps-backend deps-tools'
+      - run: su forgejo -c 'make security-check'

.gitattributes

@@ -1,5 +1,6 @@
 * text=auto eol=lf
 *.tmpl linguist-language=go-html-template
+*.pb.go linguist-generated
 /assets/*.json linguist-generated
 /public/assets/img/svg/*.svg linguist-generated
 /templates/swagger/v1_json.tmpl linguist-generated

.gitea/pull_request_template.md

@@ -1,13 +0,0 @@
----
-
-name: "Pull Request Template"
-about: "Template for all Pull Requests"
-labels:
-
-- test/needed
-
----
-<!--
-Before submitting a PR, please read the contributing guidelines:
-https://codeberg.org/forgejo/forgejo/src/branch/forgejo/CONTRIBUTING.md
--->

.gitignore

@@ -37,6 +37,7 @@ _testmain.go
 
 *coverage.out
 coverage.all
+coverage/
 cpu.out
 
 /modules/migration/bindata.go
@@ -56,6 +57,7 @@ cpu.out
 /gitea-vet
 /debug
 /integrations.test
+/forgejo
 
 /bin
 /dist
@@ -72,6 +74,7 @@ cpu.out
 /tests/e2e/reports
 /tests/e2e/test-artifacts
 /tests/e2e/test-snapshots
+/tests/e2e/.auth
 /tests/*.ini
 /tests/**/*.git/**/*.sample
 /node_modules
@@ -83,7 +86,6 @@ cpu.out
 /public/assets/css
 /public/assets/fonts
 /public/assets/licenses.txt
-/public/assets/img/webpack
 /vendor
 /web_src/fomantic/node_modules
 /web_src/fomantic/build/*
@@ -102,6 +104,9 @@ cpu.out
 /.go-licenses
 /.cur-deadcode-out
 
+# Files and folders that were previously generated
+/public/assets/img/webpack
+
 # Snapcraft
 /gitea_a*.txt
 snap/.snapcraft/
@@ -113,6 +118,12 @@ prime/
 *_source.tar.bz2
 .DS_Store
 
+# Direnv configuration
+/.envrc
+
+# nix-direnv generated files
+.direnv/
+
 # Make evidence files
 /.make_evidence
 

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "manual-testing"]
-	path = manual-testing
-	url = https://codeberg.org/forgejo/forgejo-manual-testing

.gitpod.yml

@@ -43,7 +43,7 @@ vscode:
     - Vue.volar
     - ms-azuretools.vscode-docker
     - vitest.explorer
-    - qwtel.sqlite-viewer
+    - cweijan.vscode-database-client2
     - GitHub.vscode-pull-request-github
 
 ports:

.golangci.yml

@@ -1,136 +1,165 @@
+version: "2"
+output:
+  sort-order:
+    - file
 linters:
+  default: none
   enable:
     - bidichk
-    # - deadcode # deprecated - https://github.com/golangci/golangci-lint/issues/1841
     - depguard
     - dupl
     - errcheck
     - forbidigo
     - gocritic
-    # - gocyclo # The cyclomatic complexety of a lot of functions is too high, we should refactor those another time.
-    - gofmt
-    - gofumpt
-    - gosimple
     - govet
     - ineffassign
     - nakedret
     - nolintlint
     - revive
     - staticcheck
-    # - structcheck # deprecated - https://github.com/golangci/golangci-lint/issues/1841
-    - stylecheck
-    - typecheck
+    - testifylint
     - unconvert
+    - unparam
     - unused
-    # - varcheck # deprecated - https://github.com/golangci/golangci-lint/issues/1841
+    - usetesting
     - wastedassign
-  enable-all: false
-  disable-all: true
-  fast: false
-
-run:
-  timeout: 10m
-  skip-dirs:
-    - node_modules
-    - public
-    - web_src
-
-linters-settings:
-  stylecheck:
-    checks: ["all", "-ST1005", "-ST1003"]
-  nakedret:
-    max-func-lines: 0
-  gocritic:
-    disabled-checks:
-      - ifElseChain
-      - singleCaseSwitch # Every time this occurred in the code, there  was no other way.
-  revive:
-    ignore-generated-header: false
-    severity: warning
-    confidence: 0.8
-    errorCode: 1
-    warningCode: 1
+  settings:
+    depguard:
+      rules:
+        main:
+          deny:
+            - pkg: encoding/json
+              desc: use gitea's modules/json instead of encoding/json
+            - pkg: github.com/unknwon/com
+              desc: use gitea's util and replacements
+            - pkg: io/ioutil
+              desc: use os or io instead
+            - pkg: golang.org/x/exp
+              desc: it's experimental and unreliable
+            - pkg: forgejo.org/modules/git/internal
+              desc: do not use the internal package, use AddXxx function instead
+            - pkg: gopkg.in/ini.v1
+              desc: do not use the ini package, use gitea's config system instead
+            - pkg: github.com/minio/sha256-simd
+              desc: use crypto/sha256 instead, see https://codeberg.org/forgejo/forgejo/pulls/1528
+    gocritic:
+      disabled-checks:
+        - ifElseChain
+    revive:
+      severity: error
+      rules:
+        - name: atomic
+        - name: bare-return
+        - name: blank-imports
+        - name: constant-logical-expr
+        - name: context-as-argument
+        - name: context-keys-type
+        - name: dot-imports
+        - name: duplicated-imports
+        - name: empty-lines
+        - name: error-naming
+        - name: error-return
+        - name: error-strings
+        - name: errorf
+        - name: exported
+        - name: identical-branches
+        - name: if-return
+        - name: increment-decrement
+        - name: indent-error-flow
+        - name: modifies-value-receiver
+        - name: package-comments
+        - name: range
+        - name: receiver-naming
+        - name: redefines-builtin-id
+        - name: string-of-int
+        - name: superfluous-else
+        - name: time-naming
+        - name: unconditional-recursion
+        - name: unexported-return
+        - name: unreachable-code
+        - name: var-declaration
+        - name: var-naming
+        - name: redefines-builtin-id
+          disabled: true
+    staticcheck:
+      checks:
+        - all
+    testifylint:
+      disable:
+        - go-require
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
     rules:
-      - name: blank-imports
-      - name: context-as-argument
-      - name: context-keys-type
-      - name: dot-imports
-      - name: error-return
-      - name: error-strings
-      - name: error-naming
-      - name: exported
-      - name: if-return
-      - name: increment-decrement
-      - name: var-naming
-      - name: var-declaration
-      - name: package-comments
-      - name: range
-      - name: receiver-naming
-      - name: time-naming
-      - name: unexported-return
-      - name: indent-error-flow
-      - name: errorf
-      - name: duplicated-imports
-      - name: modifies-value-receiver
-  gofumpt:
-    extra-rules: true
-  depguard:
-    rules:
-      main:
-        deny:
-          - pkg: encoding/json
-            desc: use gitea's modules/json instead of encoding/json
-          - pkg: github.com/unknwon/com
-            desc: use gitea's util and replacements
-          - pkg: io/ioutil
-            desc: use os or io instead
-          - pkg: golang.org/x/exp
-            desc: it's experimental and unreliable
-          - pkg: code.gitea.io/gitea/modules/git/internal
-            desc: do not use the internal package, use AddXxx function instead
-          - pkg: gopkg.in/ini.v1
-            desc: do not use the ini package, use gitea's config system instead
-          - pkg: github.com/minio/sha256-simd
-            desc: use crypto/sha256 instead, see https://codeberg.org/forgejo/forgejo/pulls/1528
-
+      - linters:
+          - nolintlint
+        path: models/db/sql_postgres_with_schema.go
+      - linters:
+          - dupl
+          - errcheck
+          - gocyclo
+          - gosec
+          - staticcheck
+          - unparam
+        path: _test\.go
+      - linters:
+          - dupl
+          - errcheck
+          - gocyclo
+          - gosec
+        path: models/migrations/v
+      - linters:
+          - forbidigo
+        path: cmd
+      - linters:
+          - dupl
+        text: (?i)webhook
+      - linters:
+          - gocritic
+        text: (?i)`ID' should not be capitalized
+      - linters:
+          - deadcode
+          - unused
+        text: (?i)swagger
+      - linters:
+          - staticcheck
+        text: (?i)argument x is overwritten before first use
+      - linters:
+          - gocritic
+        text: '(?i)commentFormatting: put a space between `//` and comment text'
+      - linters:
+          - gocritic
+        text: '(?i)exitAfterDefer:'
+      - linters:
+          - staticcheck
+        text: "(ST1005|ST1003|QF1001):"
+    paths:
+      - node_modules
+      - public
+      - web_src
+      - third_party$
+      - builtin$
+      - examples$
 issues:
   max-issues-per-linter: 0
   max-same-issues: 0
-  exclude-rules:
-    # Exclude some linters from running on tests files.
-    - path: _test\.go
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-        - unparam
-        - staticcheck
-    - path: models/migrations/v
-      linters:
-        - gocyclo
-        - errcheck
-        - dupl
-        - gosec
-    - path: cmd
-      linters:
-        - forbidigo
-    - linters:
-        - dupl
-      text: "webhook"
-    - linters:
-        - gocritic
-      text: "`ID' should not be capitalized"
-    - linters:
-        - unused
-        - deadcode
-      text: "swagger"
-    - linters:
-        - staticcheck
-      text: "argument x is overwritten before first use"
-    - text: "commentFormatting: put a space between `//` and comment text"
-      linters:
-        - gocritic
-    - text: "exitAfterDefer:"
-      linters:
-        - gocritic
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+  settings:
+    gofumpt:
+      extra-rules: true
+  exclusions:
+    generated: lax
+    paths:
+      - node_modules
+      - public
+      - web_src
+      - third_party$
+      - builtin$
+      - examples$

.ignore

@@ -4,6 +4,8 @@
 /modules/options/bindata.go
 /modules/public/bindata.go
 /modules/templates/bindata.go
-/vendor
+/options/gitignore
+/options/license
 /public/assets
+/vendor
 node_modules

.mailmap

@@ -0,0 +1,2 @@
+Unknwon <u@gogs.io> <joe2010xtmf@163.com>
+Unknwon <u@gogs.io> 无闻 <u@gogs.io>

.release-notes-assistant.yaml

@@ -0,0 +1,27 @@
+categorize: './release-notes-assistant.sh'
+branch-development: 'forgejo'
+branch-pattern: 'v*/forgejo'
+branch-find-version: 'v(?P<version>\d+\.\d+)/forgejo'
+branch-to-version: '${version}.0'
+branch-from-version: 'v%[1]d.%[2]d/forgejo'
+tag-from-version: 'v%[1]d.%[2]d.%[3]d'
+branch-known:
+  - 'v7.0/forgejo'
+cleanup-line: 'sed -Ee "s/^(feat|fix):\s*//g" -e "s/^\[WIP\] //" -e "s/^WIP: //" -e "s;\[(UI|BUG|FEAT|v.*?/forgejo)\]\s*;;g"'
+render-header: |
+
+  ## Release notes
+comment: |
+  <details>
+  <summary>Where does that come from?</summary>
+  The following is a preview of the release notes for this pull request, as they will appear in the upcoming release. They are derived from the content of the `%[2]s/%[3]s.md` file, if it exists, or the title of the pull request. They were also added at the bottom of the description of this pull request for easier reference.
+
+  This message and the release notes originate from a call to the [release-notes-assistant](https://code.forgejo.org/forgejo/release-notes-assistant).
+
+  ```diff
+  %[4]s
+  ```
+
+  </details>
+
+  %[1]s

.stylelintrc.yaml

@@ -1,223 +0,0 @@
-plugins:
-  - stylelint-declaration-strict-value
-  - stylelint-declaration-block-no-ignored-properties
-  - "@stylistic/stylelint-plugin"
-
-ignoreFiles:
-  - "**/*.go"
-
-overrides:
-  - files: ["**/chroma/*", "**/codemirror/*", "**/standalone/*", "**/console.css", "font_i18n.css"]
-    rules:
-      scale-unlimited/declaration-strict-value: null
-  - files: ["**/chroma/*", "**/codemirror/*"]
-    rules:
-      block-no-empty: null
-  - files: ["**/*.vue"]
-    customSyntax: postcss-html
-
-rules:
-  "@stylistic/at-rule-name-case": null
-  "@stylistic/at-rule-name-newline-after": null
-  "@stylistic/at-rule-name-space-after": null
-  "@stylistic/at-rule-semicolon-newline-after": null
-  "@stylistic/at-rule-semicolon-space-before": null
-  "@stylistic/block-closing-brace-empty-line-before": null
-  "@stylistic/block-closing-brace-newline-after": null
-  "@stylistic/block-closing-brace-newline-before": null
-  "@stylistic/block-closing-brace-space-after": null
-  "@stylistic/block-closing-brace-space-before": null
-  "@stylistic/block-opening-brace-newline-after": null
-  "@stylistic/block-opening-brace-newline-before": null
-  "@stylistic/block-opening-brace-space-after": null
-  "@stylistic/block-opening-brace-space-before": always
-  "@stylistic/color-hex-case": lower
-  "@stylistic/declaration-bang-space-after": never
-  "@stylistic/declaration-bang-space-before": null
-  "@stylistic/declaration-block-semicolon-newline-after": null
-  "@stylistic/declaration-block-semicolon-newline-before": null
-  "@stylistic/declaration-block-semicolon-space-after": null
-  "@stylistic/declaration-block-semicolon-space-before": never
-  "@stylistic/declaration-block-trailing-semicolon": null
-  "@stylistic/declaration-colon-newline-after": null
-  "@stylistic/declaration-colon-space-after": null
-  "@stylistic/declaration-colon-space-before": never
-  "@stylistic/function-comma-newline-after": null
-  "@stylistic/function-comma-newline-before": null
-  "@stylistic/function-comma-space-after": null
-  "@stylistic/function-comma-space-before": null
-  "@stylistic/function-max-empty-lines": 0
-  "@stylistic/function-parentheses-newline-inside": never-multi-line
-  "@stylistic/function-parentheses-space-inside": null
-  "@stylistic/function-whitespace-after": null
-  "@stylistic/indentation": 2
-  "@stylistic/linebreaks": null
-  "@stylistic/max-empty-lines": 1
-  "@stylistic/max-line-length": null
-  "@stylistic/media-feature-colon-space-after": null
-  "@stylistic/media-feature-colon-space-before": never
-  "@stylistic/media-feature-name-case": null
-  "@stylistic/media-feature-parentheses-space-inside": null
-  "@stylistic/media-feature-range-operator-space-after": always
-  "@stylistic/media-feature-range-operator-space-before": always
-  "@stylistic/media-query-list-comma-newline-after": null
-  "@stylistic/media-query-list-comma-newline-before": null
-  "@stylistic/media-query-list-comma-space-after": null
-  "@stylistic/media-query-list-comma-space-before": null
-  "@stylistic/named-grid-areas-alignment": null
-  "@stylistic/no-empty-first-line": null
-  "@stylistic/no-eol-whitespace": true
-  "@stylistic/no-extra-semicolons": true
-  "@stylistic/no-missing-end-of-source-newline": null
-  "@stylistic/number-leading-zero": null
-  "@stylistic/number-no-trailing-zeros": null
-  "@stylistic/property-case": lower
-  "@stylistic/selector-attribute-brackets-space-inside": null
-  "@stylistic/selector-attribute-operator-space-after": null
-  "@stylistic/selector-attribute-operator-space-before": null
-  "@stylistic/selector-combinator-space-after": null
-  "@stylistic/selector-combinator-space-before": null
-  "@stylistic/selector-descendant-combinator-no-non-space": null
-  "@stylistic/selector-list-comma-newline-after": null
-  "@stylistic/selector-list-comma-newline-before": null
-  "@stylistic/selector-list-comma-space-after": always-single-line
-  "@stylistic/selector-list-comma-space-before": never-single-line
-  "@stylistic/selector-max-empty-lines": 0
-  "@stylistic/selector-pseudo-class-case": lower
-  "@stylistic/selector-pseudo-class-parentheses-space-inside": never
-  "@stylistic/selector-pseudo-element-case": lower
-  "@stylistic/string-quotes": double
-  "@stylistic/unicode-bom": null
-  "@stylistic/unit-case": lower
-  "@stylistic/value-list-comma-newline-after": null
-  "@stylistic/value-list-comma-newline-before": null
-  "@stylistic/value-list-comma-space-after": null
-  "@stylistic/value-list-comma-space-before": null
-  "@stylistic/value-list-max-empty-lines": 0
-  alpha-value-notation: null
-  annotation-no-unknown: true
-  at-rule-allowed-list: null
-  at-rule-disallowed-list: null
-  at-rule-empty-line-before: null
-  at-rule-no-unknown: [true, {ignoreAtRules: [tailwind]}]
-  at-rule-no-vendor-prefix: true
-  at-rule-property-required-list: null
-  block-no-empty: true
-  color-function-notation: null
-  color-hex-alpha: null
-  color-hex-length: null
-  color-named: null
-  color-no-hex: null
-  color-no-invalid-hex: true
-  comment-empty-line-before: null
-  comment-no-empty: true
-  comment-pattern: null
-  comment-whitespace-inside: null
-  comment-word-disallowed-list: null
-  custom-media-pattern: null
-  custom-property-empty-line-before: null
-  custom-property-no-missing-var-function: true
-  custom-property-pattern: null
-  declaration-block-no-duplicate-custom-properties: true
-  declaration-block-no-duplicate-properties: [true, {ignore: [consecutive-duplicates-with-different-values]}]
-  declaration-block-no-redundant-longhand-properties: null
-  declaration-block-no-shorthand-property-overrides: null
-  declaration-block-single-line-max-declarations: null
-  declaration-empty-line-before: null
-  declaration-no-important: null
-  declaration-property-max-values: null
-  declaration-property-unit-allowed-list: null
-  declaration-property-unit-disallowed-list: {line-height: [em]}
-  declaration-property-value-allowed-list: null
-  declaration-property-value-disallowed-list: null
-  declaration-property-value-no-unknown: true
-  font-family-name-quotes: always-where-recommended
-  font-family-no-duplicate-names: true
-  font-family-no-missing-generic-family-keyword: true
-  font-weight-notation: null
-  function-allowed-list: null
-  function-calc-no-unspaced-operator: true
-  function-disallowed-list: null
-  function-linear-gradient-no-nonstandard-direction: true
-  function-name-case: lower
-  function-no-unknown: true
-  function-url-no-scheme-relative: null
-  function-url-quotes: always
-  function-url-scheme-allowed-list: null
-  function-url-scheme-disallowed-list: null
-  hue-degree-notation: null
-  import-notation: string
-  keyframe-block-no-duplicate-selectors: true
-  keyframe-declaration-no-important: true
-  keyframe-selector-notation: null
-  keyframes-name-pattern: null
-  length-zero-no-unit: [true, ignore: [custom-properties], ignoreFunctions: [var]]
-  max-nesting-depth: null
-  media-feature-name-allowed-list: null
-  media-feature-name-disallowed-list: null
-  media-feature-name-no-unknown: true
-  media-feature-name-no-vendor-prefix: true
-  media-feature-name-unit-allowed-list: null
-  media-feature-name-value-allowed-list: null
-  media-feature-name-value-no-unknown: true
-  media-feature-range-notation: null
-  media-query-no-invalid: true
-  named-grid-areas-no-invalid: true
-  no-descending-specificity: null
-  no-duplicate-at-import-rules: true
-  no-duplicate-selectors: true
-  no-empty-source: true
-  no-invalid-double-slash-comments: true
-  no-invalid-position-at-import-rule: [true, ignoreAtRules: [tailwind]]
-  no-irregular-whitespace: true
-  no-unknown-animations: null
-  no-unknown-custom-properties: null
-  number-max-precision: null
-  plugin/declaration-block-no-ignored-properties: true
-  property-allowed-list: null
-  property-disallowed-list: null
-  property-no-unknown: true
-  property-no-vendor-prefix: null
-  rule-empty-line-before: null
-  rule-selector-property-disallowed-list: null
-  scale-unlimited/declaration-strict-value: [[/color$/, font-weight], {ignoreValues: /^(inherit|transparent|unset|initial|currentcolor|none)$/, ignoreFunctions: false, disableFix: true, expandShorthand: true}]
-  selector-anb-no-unmatchable: true
-  selector-attribute-name-disallowed-list: null
-  selector-attribute-operator-allowed-list: null
-  selector-attribute-operator-disallowed-list: null
-  selector-attribute-quotes: always
-  selector-class-pattern: null
-  selector-combinator-allowed-list: null
-  selector-combinator-disallowed-list: null
-  selector-disallowed-list: null
-  selector-id-pattern: null
-  selector-max-attribute: null
-  selector-max-class: null
-  selector-max-combinators: null
-  selector-max-compound-selectors: null
-  selector-max-id: null
-  selector-max-pseudo-class: null
-  selector-max-specificity: null
-  selector-max-type: null
-  selector-max-universal: null
-  selector-nested-pattern: null
-  selector-no-qualifying-type: null
-  selector-no-vendor-prefix: true
-  selector-not-notation: null
-  selector-pseudo-class-allowed-list: null
-  selector-pseudo-class-disallowed-list: null
-  selector-pseudo-class-no-unknown: true
-  selector-pseudo-element-allowed-list: null
-  selector-pseudo-element-colon-notation: double
-  selector-pseudo-element-disallowed-list: null
-  selector-pseudo-element-no-unknown: true
-  selector-type-case: lower
-  selector-type-no-unknown: [true, {ignore: [custom-elements]}]
-  shorthand-property-no-redundant-values: true
-  string-no-newline: true
-  time-min-milliseconds: null
-  unit-allowed-list: null
-  unit-disallowed-list: null
-  unit-no-unknown: true
-  value-keyword-case: null
-  value-no-vendor-prefix: [true, {ignoreValues: [box, inline-box]}]

BSDmakefile

@@ -36,10 +36,6 @@ GARGS = "--no-print-directory"
     JARG = -j$(.MAKE.JOBS)
 .endif
 
-# bmake prefers out-of-source builds and tries to cd into ./obj (among others)
-# where possible. GNU Make doesn't, so override that value.
-.OBJDIR: ./
-
 # The GNU convention is to use the lowercased `prefix` variable/macro to
 # specify the installation directory. Humor them.
 GPREFIX =
@@ -48,11 +44,12 @@ GPREFIX =
 .endif
 
 .BEGIN: .SILENT
-	which $(GMAKE) || (printf "Error: GNU Make is required!\n\n" 1>&2 && false)
+	which $(GMAKE) >/dev/null || (printf "Error: GNU Make is required!\n\n" 1>&2 && false)
 
-.PHONY: FRC
-$(.TARGETS): FRC
-	$(GMAKE) $(GPREFIX) $(GARGS) $(.TARGETS:S,.DONE,,) $(JARG)
+.PHONY: EMPTY
+EMPTY: .SILENT
+	$(GMAKE) $(GPREFIX) $(GARGS) $(JARG)
 
-.DONE .DEFAULT: .SILENT
-	$(GMAKE) $(GPREFIX) $(GARGS) $(.TARGETS:S,.DONE,,) $(JARG)
+.PHONY: $(.TARGETS)
+$(.TARGETS): .SILENT
+	$(GMAKE) $(GPREFIX) $(GARGS) $(JARG) $@

CODEOWNERS

@@ -6,27 +6,36 @@
 
 # Please mind the alphabetic order of reviewers.
 
-# Files related to the CI of the Forgejo project.
-.forgejo/.* @dachary @earl-warren
-
 # Files related to frontend development.
 
 # Javascript and CSS code.
-web_src/.* @caesar @crystal @gusted
+web_src/.* @beowulf @gusted
 
 # HTML templates used by the backend.
-templates/.* @caesar @crystal @gusted
+templates/.* @beowulf @gusted
+## the issue sidebar was touched by fnetx
+templates/repo/issue/view_content/sidebar.* @fnetx
+
+# Playwright tests
+tests/e2e/.* @fnetx
 
 # Files related to Go development.
 
 # The modules usually don't require much knowledge about Forgejo and could
 # be reviewed by Go developers.
-modules/.* @dachary @earl-warren @gusted
+modules/.* @gusted
 
 # Models has code related to SQL queries, general database knowledge and XORM.
-models/.* @dachary @earl-warren @gusted
+models/.* @gusted
 
 # The routers directory contains the most amount code that requires a good grasp
 # of how Forgejo comes together. It's tedious to write good integration testing
 # for code that lives in here.
-routers/.* @dachary @earl-warren @gusted
+routers/.* @gusted
+
+# Let locale changes be checked by the translation team.
+options/locale/.* @0ko
+options/locale_next/.* @0ko
+
+# Personal interest
+.*/webhook.* @oliverpool

CONTRIBUTING.md

@@ -4,21 +4,4 @@ The Forgejo project is run by a community of people who are expected to follow t
 
 Sensitive security-related issues should be reported to [security@forgejo.org](mailto:security@forgejo.org) using [encryption](https://keyoxide.org/security@forgejo.org).
 
-## For everyone involved
-
-- [Documentation](https://forgejo.org/docs/next/)
-- [Code of Conduct](https://forgejo.org/docs/latest/developer/coc/)
-- [Bugs, features, security and others discussions](https://forgejo.org/docs/latest/developer/discussions/)
-- [Governance](https://forgejo.org/docs/latest/developer/governance/)
-- [Sustainability and funding](https://codeberg.org/forgejo/sustainability/src/branch/main/README.md)
-
-## For contributors
-
-- [Developer Certificate of Origin (DCO)](https://forgejo.org/docs/latest/developer/dco/)
-- [Development workflow](https://forgejo.org/docs/latest/developer/workflow/)
-- [Compiling from source](https://forgejo.org/docs/latest/developer/from-source/)
-
-## For maintainers
-
-- [Release management](https://forgejo.org/docs/latest/developer/release/)
-- [Secrets](https://forgejo.org/docs/latest/developer/secrets/)
+You can find links to the different aspects of Developer documentation on this page: [Forgejo Contributor Guide](https://forgejo.org/docs/next/contributor/).

Dockerfile

@@ -1,13 +1,13 @@
-FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx
 
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.22-alpine3.19 as build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.21 AS build-env
 
 ARG GOPROXY
-ENV GOPROXY ${GOPROXY:-direct}
+ENV GOPROXY=${GOPROXY:-https://proxy.golang.org,direct}
 
 ARG RELEASE_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
-ENV TAGS "bindata timetzdata $TAGS"
+ENV TAGS="bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
 
 #
@@ -30,13 +30,13 @@ RUN cp /*-alpine-linux-musl*/lib/ld-musl-*.so.1 /lib || true
 
 RUN apk --no-cache add build-base git nodejs npm
 
-COPY . ${GOPATH}/src/code.gitea.io/gitea
-WORKDIR ${GOPATH}/src/code.gitea.io/gitea
+COPY . ${GOPATH}/src/forgejo.org
+WORKDIR ${GOPATH}/src/forgejo.org
 
 RUN make clean
 RUN make frontend
 RUN go build contrib/environment-to-ini/environment-to-ini.go && xx-verify environment-to-ini
-RUN make RELEASE_VERSION=$RELEASE_VERSION go-check generate-backend static-executable && xx-verify gitea
+RUN LDFLAGS="-buildid=" make RELEASE_VERSION=$RELEASE_VERSION GOFLAGS="-trimpath" go-check generate-backend static-executable && xx-verify gitea
 
 # Copy local files
 COPY docker/root /tmp/local
@@ -47,12 +47,22 @@ RUN chmod 755 /tmp/local/usr/bin/entrypoint \
               /tmp/local/etc/s6/gitea/* \
               /tmp/local/etc/s6/openssh/* \
               /tmp/local/etc/s6/.s6-svscan/* \
-              /go/src/code.gitea.io/gitea/gitea \
-              /go/src/code.gitea.io/gitea/environment-to-ini
-RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
+              /go/src/forgejo.org/gitea \
+              /go/src/forgejo.org/environment-to-ini
+RUN chmod 644 /go/src/forgejo.org/contrib/autocompletion/bash_autocomplete
 
-FROM docker.io/library/alpine:3.19
-LABEL maintainer="contact@forgejo.org"
+FROM data.forgejo.org/oci/alpine:3.21
+ARG RELEASE_VERSION
+LABEL maintainer="contact@forgejo.org" \
+      org.opencontainers.image.authors="Forgejo" \
+      org.opencontainers.image.url="https://forgejo.org" \
+      org.opencontainers.image.documentation="https://forgejo.org/download/#container-image" \
+      org.opencontainers.image.source="https://codeberg.org/forgejo/forgejo" \
+      org.opencontainers.image.version="${RELEASE_VERSION}" \
+      org.opencontainers.image.vendor="Forgejo" \
+      org.opencontainers.image.licenses="GPL-3.0-or-later" \
+      org.opencontainers.image.title="Forgejo. Beyond coding. We forge." \
+      org.opencontainers.image.description="Forgejo is a self-hosted lightweight software forge. Easy to install and low maintenance, it just does the job."
 
 EXPOSE 22 3000
 
@@ -82,16 +92,17 @@ RUN addgroup \
     git && \
   echo "git:*" | chpasswd -e
 
-ENV USER git
-ENV GITEA_CUSTOM /data/gitea
+ENV USER=git
+ENV GITEA_CUSTOM=/data/gitea
 
 VOLUME ["/data"]
 
 ENTRYPOINT ["/usr/bin/entrypoint"]
-CMD ["/bin/s6-svscan", "/etc/s6"]
+CMD ["/usr/bin/s6-svscan", "/etc/s6"]
 
 COPY --from=build-env /tmp/local /
 RUN cd /usr/local/bin ; ln -s gitea forgejo
-COPY --from=build-env /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
-COPY --from=build-env /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
-COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
+COPY --from=build-env /go/src/forgejo.org/gitea /app/gitea/gitea
+RUN ln -s /app/gitea/gitea /app/gitea/forgejo-cli
+COPY --from=build-env /go/src/forgejo.org/environment-to-ini /usr/local/bin/environment-to-ini
+COPY --from=build-env /go/src/forgejo.org/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh

Dockerfile.rootless

@@ -1,13 +1,13 @@
-FROM --platform=$BUILDPLATFORM docker.io/tonistiigi/xx AS xx
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/xx AS xx
 
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.22-alpine3.19 as build-env
+FROM --platform=$BUILDPLATFORM data.forgejo.org/oci/golang:1.24-alpine3.21 AS build-env
 
 ARG GOPROXY
-ENV GOPROXY ${GOPROXY:-direct}
+ENV GOPROXY=${GOPROXY:-https://proxy.golang.org,direct}
 
 ARG RELEASE_VERSION
 ARG TAGS="sqlite sqlite_unlock_notify"
-ENV TAGS "bindata timetzdata $TAGS"
+ENV TAGS="bindata timetzdata $TAGS"
 ARG CGO_EXTRA_CFLAGS
 
 #
@@ -30,8 +30,8 @@ RUN cp /*-alpine-linux-musl*/lib/ld-musl-*.so.1 /lib || true
 
 RUN apk --no-cache add build-base git nodejs npm
 
-COPY . ${GOPATH}/src/code.gitea.io/gitea
-WORKDIR ${GOPATH}/src/code.gitea.io/gitea
+COPY . ${GOPATH}/src/forgejo.org
+WORKDIR ${GOPATH}/src/forgejo.org
 
 RUN make clean
 RUN make frontend
@@ -45,12 +45,22 @@ COPY docker/rootless /tmp/local
 RUN chmod 755 /tmp/local/usr/local/bin/docker-entrypoint.sh \
               /tmp/local/usr/local/bin/docker-setup.sh \
               /tmp/local/usr/local/bin/gitea \
-              /go/src/code.gitea.io/gitea/gitea \
-              /go/src/code.gitea.io/gitea/environment-to-ini
-RUN chmod 644 /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete
+              /go/src/forgejo.org/gitea \
+              /go/src/forgejo.org/environment-to-ini
+RUN chmod 644 /go/src/forgejo.org/contrib/autocompletion/bash_autocomplete
 
-FROM docker.io/library/alpine:3.19
-LABEL maintainer="contact@forgejo.org"
+FROM data.forgejo.org/oci/alpine:3.21
+ARG RELEASE_VERSION
+LABEL maintainer="contact@forgejo.org" \
+      org.opencontainers.image.authors="Forgejo" \
+      org.opencontainers.image.url="https://forgejo.org" \
+      org.opencontainers.image.documentation="https://forgejo.org/download/#container-image" \
+      org.opencontainers.image.source="https://codeberg.org/forgejo/forgejo" \
+      org.opencontainers.image.version="${RELEASE_VERSION}" \
+      org.opencontainers.image.vendor="Forgejo" \
+      org.opencontainers.image.licenses="GPL-3.0-or-later" \
+      org.opencontainers.image.title="Forgejo. Beyond coding. We forge." \
+      org.opencontainers.image.description="Forgejo is a self-hosted lightweight software forge. Easy to install and low maintenance, it just does the job."
 
 EXPOSE 2222 3000
 
@@ -62,6 +72,7 @@ RUN apk --no-cache add \
     git \
     curl \
     gnupg \
+    openssh-client \
     && rm -rf /var/cache/apk/*
 
 RUN addgroup \
@@ -80,23 +91,26 @@ RUN chown git:git /var/lib/gitea /etc/gitea
 
 COPY --from=build-env /tmp/local /
 RUN cd /usr/local/bin ; ln -s gitea forgejo
-COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/gitea /app/gitea/gitea
-COPY --from=build-env --chown=root:root /go/src/code.gitea.io/gitea/environment-to-ini /usr/local/bin/environment-to-ini
-COPY --from=build-env /go/src/code.gitea.io/gitea/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
+COPY --from=build-env --chown=root:root /go/src/forgejo.org/gitea /app/gitea/gitea
+RUN ln -s /app/gitea/gitea /app/gitea/forgejo-cli
+COPY --from=build-env --chown=root:root /go/src/forgejo.org/environment-to-ini /usr/local/bin/environment-to-ini
+COPY --from=build-env /go/src/forgejo.org/contrib/autocompletion/bash_autocomplete /etc/profile.d/gitea_bash_autocomplete.sh
 
 #git:git
 USER 1000:1000
-ENV GITEA_WORK_DIR /var/lib/gitea
-ENV GITEA_CUSTOM /var/lib/gitea/custom
-ENV GITEA_TEMP /tmp/gitea
-ENV TMPDIR /tmp/gitea
+ENV GITEA_WORK_DIR=/var/lib/gitea
+ENV GITEA_CUSTOM=/var/lib/gitea/custom
+ENV GITEA_TEMP=/tmp/gitea
+ENV TMPDIR=/tmp/gitea
 
-#TODO add to docs the ability to define the ini to load (useful to test and revert a config)
-ENV GITEA_APP_INI /etc/gitea/app.ini
-ENV HOME "/var/lib/gitea/git"
+# Legacy config file for backwards compatibility
+# TODO: remove on next major version release
+ENV GITEA_APP_INI_LEGACY=/etc/gitea/app.ini
+
+ENV GITEA_APP_INI=${GITEA_CUSTOM}/conf/app.ini
+ENV HOME="/var/lib/gitea/git"
 VOLUME ["/var/lib/gitea", "/etc/gitea"]
 WORKDIR /var/lib/gitea
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--", "/usr/local/bin/docker-entrypoint.sh"]
 CMD []
-

LICENSE

@@ -1,21 +1,674 @@
-Copyright (c) 2022 The Forgejo Authors
-Copyright (c) 2016 The Gitea Authors
-Copyright (c) 2015 The Gogs Authors
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
 
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
+                            Preamble
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<https://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<https://www.gnu.org/licenses/why-not-lgpl.html>.

MAINTAINERS

@@ -1,61 +0,0 @@
-Alexey Makhov <amakhov@avito.ru> (@makhov)
-Bo-Yi Wu <appleboy.tw@gmail.com> (@appleboy)
-Ethan Koenig <ethantkoenig@gmail.com> (@ethantkoenig)
-Kees de Vries <bouwko@gmail.com> (@Bwko)
-Kim Carlbäcker <kim.carlbacker@gmail.com> (@bkcsoft)
-LefsFlare <nobody@nobody.tld> (@LefsFlarey)
-Lunny Xiao <xiaolunwen@gmail.com> (@lunny)
-Rachid Zarouali <nobody@nobody.tld> (@xinity)
-Rémy Boulanouar <admin@dblk.org> (@DblK)
-Sandro Santilli <strk@kbt.io> (@strk)
-Thibault Meyer <meyer.thibault@gmail.com> (@0xbaadf00d)
-Thomas Boerger <thomas@webhippie.de> (@tboerger)
-Patrick G <geek1011@outlook.com> (@geek1011)
-Antoine Girard <sapk@sapk.fr> (@sapk)
-Lauris Bukšis-Haberkorns <lauris@nix.lv> (@lafriks)
-Jonas Östanbäck <jonas.ostanback@gmail.com> (@cez81)
-David Schneiderbauer <dschneiderbauer@gmail.com> (@daviian)
-Peter Žeby <morlinest@gmail.com> (@morlinest)
-Matti Ranta <techknowlogick@gitea.io> (@techknowlogick)
-Jonas Franz <info@jonasfranz.software> (@jonasfranz)
-Alexey Terentyev <axifnx@gmail.com> (@axifive)
-Lanre Adelowo <yo@lanre.wtf> (@adelowo)
-Konrad Langenberg <k@knt.li> (@kolaente)
-He-Long Zhang <outman99@hotmail.com> (@BetaCat0)
-Andrew Thornton <art27@cantab.net> (@zeripath)
-John Olheiser <john.olheiser@gmail.com> (@jolheiser)
-Richard Mahn <rich.mahn@unfoldingword.org> (@richmahn)
-Mrsdizzie <info@mrsdizzie.com> (@mrsdizzie)
-silverwind <me@silverwind.io> (@silverwind)
-Gary Kim <gary@garykim.dev> (@gary-kim)
-Guillermo Prandi <gitea.maint@mailfilter.com.ar> (@guillep2k)
-Mura Li <typeless@ctli.io> (@typeless)
-6543 <6543@obermui.de> (@6543)
-jaqra <jaqra@hotmail.com> (@jaqra)
-David Svantesson <davidsvantesson@gmail.com> (@davidsvantesson)
-a1012112796 <1012112796@qq.com> (@a1012112796)
-Karl Heinz Marbaise <kama@soebes.de> (@khmarbaise)
-Norwin Roosen <git@nroo.de> (@noerw)
-Kyle Dumont <kdumontnu@gmail.com> (@kdumontnu)
-Patrick Schratz <patrick.schratz@gmail.com> (@pat-s)
-Janis Estelmann <admin@oldschoolhack.me> (@KN4CK3R)
-Steven Kriegler <sk.bunsenbrenner@gmail.com> (@justusbunsi)
-Jimmy Praet <jimmy.praet@telenet.be> (@jpraet)
-Leon Hofmeister <dev.lh@web.de> (@delvh)
-Wim <wim@42.be> (@42wim)
-Jason Song <i@wolfogre.com> (@wolfogre)
-Yarden Shoham <git@yardenshoham.com> (@yardenshoham)
-Yu Tian <zettat123@gmail.com> (@Zettat123)
-Eddie Yang <576951401@qq.com> (@yp05327)
-Dong Ge <gedong_1994@163.com> (@sillyguodong)
-Xinyi Gong <hestergong@gmail.com> (@HesterG)
-wxiaoguang <wxiaoguang@gmail.com> (@wxiaoguang)
-Gary Moon <gary@garymoon.net> (@garymoon)
-Philip Peterson <philip.c.peterson@gmail.com> (@philip-peterson)
-Denys Konovalov <kontakt@denyskon.de> (@denyskon)
-Punit Inani <punitinani1@gmail.com> (@puni9869)
-CaiCandong  <1290147055@qq.com> (@caicandong)
-Rui Chen  <rui@chenrui.dev> (@chenrui333)
-Nanguan Lin <nanguanlin6@gmail.com> (@lng2020)
-kerwin612 <kerwin612@qq.com> (@kerwin612)
-Gary Wang <git@blumia.net> (@BLumia)

Makefile

@@ -16,52 +16,51 @@ else
 
 DIST := dist
 DIST_DIRS := $(DIST)/binaries $(DIST)/release
-IMPORT := code.gitea.io/gitea
+IMPORT := forgejo.org
 
-GO ?= go
+GO ?= $(shell go env GOROOT)/bin/go
 SHASUM ?= shasum -a 256
 HAS_GO := $(shell hash $(GO) > /dev/null 2>&1 && echo yes)
 COMMA := ,
 DIFF ?= diff --unified
 
+ifeq ($(USE_GOTESTSUM), yes)
+	GOTEST ?= gotestsum --
+	GOTESTCOMPILEDRUNPREFIX ?= gotestsum --raw-command -- go tool test2json -t
+	GOTESTCOMPILEDRUNSUFFIX ?= -test.v=test2json
+else
+	GOTEST ?= $(GO) test
+	GOTESTCOMPILEDRUNPREFIX ?=
+	GOTESTCOMPILEDRUNSUFFIX ?=
+endif
+
 XGO_VERSION := go-1.21.x
 
-AIR_PACKAGE ?= github.com/cosmtrek/air@v1.49.0
-EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/cmd/editorconfig-checker@2.7.0
-GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.6.0
-GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/cmd/golangci-lint@v1.56.1
-GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11
-MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.4.1
-SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.30.6-0.20240201115257-bcc7c78b7786
+AIR_PACKAGE ?= github.com/air-verse/air@v1 # renovate: datasource=go
+EDITORCONFIG_CHECKER_PACKAGE ?= github.com/editorconfig-checker/editorconfig-checker/v3/cmd/editorconfig-checker@v3.2.1 # renovate: datasource=go
+GOFUMPT_PACKAGE ?= mvdan.cc/gofumpt@v0.8.0 # renovate: datasource=go
+GOLANGCI_LINT_PACKAGE ?= github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.1.6 # renovate: datasource=go
+GXZ_PACKAGE ?= github.com/ulikunitz/xz/cmd/gxz@v0.5.11 # renovate: datasource=go
+MISSPELL_PACKAGE ?= github.com/golangci/misspell/cmd/misspell@v0.6.0 # renovate: datasource=go
+SWAGGER_PACKAGE ?= github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 # renovate: datasource=go
 XGO_PACKAGE ?= src.techknowlogick.com/xgo@latest
-GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0
-GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1.0.3
-ACTIONLINT_PACKAGE ?= github.com/rhysd/actionlint/cmd/actionlint@v1.6.26
-DEADCODE_PACKAGE ?= golang.org/x/tools/internal/cmd/deadcode@v0.14.0
+GO_LICENSES_PACKAGE ?= github.com/google/go-licenses@v1.6.0 # renovate: datasource=go
+GOVULNCHECK_PACKAGE ?= golang.org/x/vuln/cmd/govulncheck@v1 # renovate: datasource=go
+DEADCODE_PACKAGE ?= golang.org/x/tools/cmd/deadcode@v0.32.0 # renovate: datasource=go
+GOMOCK_PACKAGE ?= go.uber.org/mock/mockgen@v0.5.1 # renovate: datasource=go
+GOPLS_PACKAGE ?= golang.org/x/tools/gopls@v0.18.1 # renovate: datasource=go
+RENOVATE_NPM_PACKAGE ?= renovate@40.11.19 # renovate: datasource=docker packageName=data.forgejo.org/renovate/renovate
 
-DOCKER_IMAGE ?= gitea/gitea
-DOCKER_TAG ?= latest
-DOCKER_REF := $(DOCKER_IMAGE):$(DOCKER_TAG)
+# https://github.com/disposable-email-domains/disposable-email-domains/commits/main/
+DISPOSABLE_EMAILS_SHA ?= 0c27e671231d27cf66370034d7f6818037416989 # renovate: ...
 
 ifeq ($(HAS_GO), yes)
 	CGO_EXTRA_CFLAGS := -DSQLITE_MAX_VARIABLE_NUMBER=32766
 	CGO_CFLAGS ?= $(shell $(GO) env CGO_CFLAGS) $(CGO_EXTRA_CFLAGS)
 endif
 
-ifeq ($(GOOS),windows)
-	IS_WINDOWS := yes
-else ifeq ($(patsubst Windows%,Windows,$(OS)),Windows)
-	ifeq ($(GOOS),)
-		IS_WINDOWS := yes
-	endif
-endif
-ifeq ($(IS_WINDOWS),yes)
-	GOFLAGS := -v -buildmode=exe
-	EXECUTABLE ?= gitea.exe
-else
-	GOFLAGS := -v
-	EXECUTABLE ?= gitea
-endif
+GOFLAGS := -v
+EXECUTABLE ?= gitea
 
 ifeq ($(shell sed --version 2>/dev/null | grep -q GNU && echo gnu),gnu)
 	SED_INPLACE := sed -i
@@ -88,39 +87,48 @@ STORED_VERSION=$(shell cat $(STORED_VERSION_FILE) 2>/dev/null)
 ifneq ($(STORED_VERSION),)
   FORGEJO_VERSION ?= $(STORED_VERSION)
 else
-  # drop the "g" prefix prepended by git describe to the commit hash
-  FORGEJO_VERSION ?= $(shell git describe --exclude '*-test' --tags --always | sed 's/^v//' | sed 's/\-g/-/')+${GITEA_COMPATIBILITY}
+  ifneq ($(GITEA_VERSION),)
+    FORGEJO_VERSION ?= $(GITEA_VERSION)
+    FORGEJO_VERSION_API ?= $(GITEA_VERSION)+${GITEA_COMPATIBILITY}
+  else
+    # drop the "g" prefix prepended by git describe to the commit hash
+    FORGEJO_VERSION ?= $(shell git describe --exclude '*-test' --tags --always 2>/dev/null | sed 's/^v//' | sed 's/\-g/-/')
+    ifneq ($(FORGEJO_VERSION),)
+      ifneq ($(GITEA_COMPATIBILITY),)
+        FORGEJO_VERSION := $(FORGEJO_VERSION)+$(GITEA_COMPATIBILITY)
+      endif
+    endif
+  endif
 endif
 FORGEJO_VERSION_MAJOR=$(shell echo $(FORGEJO_VERSION) | sed -e 's/\..*//')
 FORGEJO_VERSION_MINOR=$(shell echo $(FORGEJO_VERSION) | sed -E -e 's/^([0-9]+\.[0-9]+).*/\1/')
 
-show-version-full:
-	@echo ${FORGEJO_VERSION}
-
-show-version-major:
-	@echo ${FORGEJO_VERSION_MAJOR}
-
-show-version-minor:
-	@echo ${FORGEJO_VERSION_MINOR}
-
 RELEASE_VERSION ?= ${FORGEJO_VERSION}
 VERSION ?= ${RELEASE_VERSION}
 
-LDFLAGS := $(LDFLAGS) -X "main.ReleaseVersion=$(RELEASE_VERSION)" -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(FORGEJO_VERSION)" -X "main.Tags=$(TAGS)" -X "main.ForgejoVersion=$(FORGEJO_VERSION)"
+FORGEJO_VERSION_API ?= ${FORGEJO_VERSION}
+
+# Strip binaries by default to reduce size, allow overriding for debugging
+STRIP ?= 1
+ifeq ($(STRIP),1)
+	LDFLAGS := $(LDFLAGS) -s -w
+endif
+LDFLAGS := $(LDFLAGS) -X "main.ReleaseVersion=$(RELEASE_VERSION)" -X "main.MakeVersion=$(MAKE_VERSION)" -X "main.Version=$(FORGEJO_VERSION)" -X "main.Tags=$(TAGS)" -X "main.ForgejoVersion=$(FORGEJO_VERSION_API)"
 
 LINUX_ARCHS ?= linux/amd64,linux/386,linux/arm-5,linux/arm-6,linux/arm64
 
 ifeq ($(HAS_GO), yes)
-	GO_PACKAGES ?= $(filter-out code.gitea.io/gitea/tests/integration/migration-test code.gitea.io/gitea/tests code.gitea.io/gitea/tests/integration code.gitea.io/gitea/tests/e2e,$(shell $(GO) list ./... | grep -v /vendor/))
-	GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list code.gitea.io/gitea/models/migrations/...) $(shell $(GO) list code.gitea.io/gitea/models/forgejo_migrations/...) code.gitea.io/gitea/tests/integration/migration-test code.gitea.io/gitea/tests code.gitea.io/gitea/tests/integration code.gitea.io/gitea/tests/e2e,$(shell $(GO) list ./... | grep -v /vendor/))
+	GO_TEST_PACKAGES ?= $(filter-out $(shell $(GO) list forgejo.org/models/migrations/...) $(shell $(GO) list forgejo.org/models/forgejo_migrations/...) forgejo.org/tests/integration/migration-test forgejo.org/tests forgejo.org/tests/integration forgejo.org/tests/e2e,$(shell $(GO) list ./...))
 endif
+REMOTE_CACHER_MODULES ?= cache nosql session queue
+GO_TEST_REMOTE_CACHER_PACKAGES ?= $(addprefix forgejo.org/modules/,$(REMOTE_CACHER_MODULES))
 
 FOMANTIC_WORK_DIR := web_src/fomantic
 
 WEBPACK_SOURCES := $(shell find web_src/js web_src/css -type f)
 WEBPACK_CONFIGS := webpack.config.js tailwind.config.js
 WEBPACK_DEST := public/assets/js/index.js public/assets/css/index.css
-WEBPACK_DEST_ENTRIES := public/assets/js public/assets/css public/assets/fonts public/assets/img/webpack
+WEBPACK_DEST_ENTRIES := public/assets/js public/assets/css public/assets/fonts
 
 BINDATA_DEST := modules/public/bindata.go modules/options/bindata.go modules/templates/bindata.go
 BINDATA_HASH := $(addsuffix .hash,$(BINDATA_DEST))
@@ -145,9 +153,8 @@ TAR_EXCLUDES := .git data indexers queues log node_modules $(EXECUTABLE) $(FOMAN
 GO_DIRS := build cmd models modules routers services tests
 WEB_DIRS := web_src/js web_src/css
 
-ESLINT_FILES := web_src/js tools *.config.js tests/e2e
 STYLELINT_FILES := web_src/css web_src/js/components/*.vue
-SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) docs/content templates options/locale/locale_en-US.ini .github
+SPELLCHECK_FILES := $(GO_DIRS) $(WEB_DIRS) docs/content templates options/locale/locale_en-US.ini .github $(wildcard *.go *.js *.ts *.vue *.md *.yml *.yaml)
 
 GO_SOURCES := $(wildcard *.go)
 GO_SOURCES += $(shell find $(GO_DIRS) -type f -name "*.go" ! -path modules/options/bindata.go ! -path modules/public/bindata.go ! -path modules/templates/bindata.go)
@@ -155,7 +162,7 @@ GO_SOURCES += $(GENERATED_GO_DEST)
 GO_SOURCES_NO_BINDATA := $(GO_SOURCES)
 
 ifeq ($(HAS_GO), yes)
-	MIGRATION_PACKAGES := $(shell $(GO) list code.gitea.io/gitea/models/migrations/... code.gitea.io/gitea/models/forgejo_migrations/...)
+	MIGRATION_PACKAGES := $(shell $(GO) list forgejo.org/models/migrations/... forgejo.org/models/forgejo_migrations/...)
 endif
 
 ifeq ($(filter $(TAGS_SPLIT),bindata),bindata)
@@ -176,9 +183,10 @@ SWAGGER_SPEC_S_JSON := s|"basePath": *"{{AppSubUrl \| JSEscape}}/api/v1"|"basePa
 SWAGGER_EXCLUDE := code.gitea.io/sdk
 SWAGGER_NEWLINE_COMMAND := -e '$$a\'
 SWAGGER_SPEC_BRANDING := s|Gitea API|Forgejo API|g
+SWAGGER_SPEC_LICENSE := s|"name": "MIT"|"name": "This file is distributed under the MIT license for the purpose of interoperability"|
 
 TEST_MYSQL_HOST ?= mysql:3306
-TEST_MYSQL_DBNAME ?= testgitea
+TEST_MYSQL_DBNAME ?= testgitea?multiStatements=true
 TEST_MYSQL_USERNAME ?= root
 TEST_MYSQL_PASSWORD ?=
 TEST_PGSQL_HOST ?= pgsql:5432
@@ -186,10 +194,6 @@ TEST_PGSQL_DBNAME ?= testgitea
 TEST_PGSQL_USERNAME ?= postgres
 TEST_PGSQL_PASSWORD ?= postgres
 TEST_PGSQL_SCHEMA ?= gtestschema
-TEST_MSSQL_HOST ?= mssql:1433
-TEST_MSSQL_DBNAME ?= gitea
-TEST_MSSQL_USERNAME ?= sa
-TEST_MSSQL_PASSWORD ?= MwantsaSecurePassword1
 
 .PHONY: all
 all: build
@@ -210,10 +214,8 @@ help:
 	@echo " - deps-frontend                    install frontend dependencies"
 	@echo " - deps-backend                     install backend dependencies"
 	@echo " - deps-tools                       install tool dependencies"
-	@echo " - deps-py                          install python dependencies"
 	@echo " - lint                             lint everything"
 	@echo " - lint-fix                         lint everything and fix issues"
-	@echo " - lint-actions                     lint action workflow files"
 	@echo " - lint-frontend                    lint frontend files"
 	@echo " - lint-frontend-fix                lint frontend files and fix issues"
 	@echo " - lint-backend                     lint backend files"
@@ -221,16 +223,14 @@ help:
 	@echo " - lint-go                          lint go files"
 	@echo " - lint-go-fix                      lint go files and fix issues"
 	@echo " - lint-go-vet                      lint go files with vet"
+	@echo " - lint-go-gopls                    lint go files with gopls"
 	@echo " - lint-js                          lint js files"
 	@echo " - lint-js-fix                      lint js files and fix issues"
 	@echo " - lint-css                         lint css files"
 	@echo " - lint-css-fix                     lint css files and fix issues"
 	@echo " - lint-md                          lint markdown files"
 	@echo " - lint-swagger                     lint swagger files"
-	@echo " - lint-templates                   lint template files"
-	@echo " - lint-yaml                        lint yaml files"
-	@echo " - lint-spell                       lint spelling"
-	@echo " - lint-spell-fix                   lint spelling and fix issues"
+	@echo " - lint-renovate                    lint renovate files"
 	@echo " - checks                           run various consistency checks"
 	@echo " - checks-frontend                  check frontend files"
 	@echo " - checks-backend                   check backend files"
@@ -238,11 +238,10 @@ help:
 	@echo " - show-version-full                show the same version as the API endpoint"
 	@echo " - show-version-major               show major release number only"
 	@echo " - test-frontend                    test frontend files"
+	@echo " - test-frontend-coverage           test frontend files and display code coverage"
 	@echo " - test-backend                     test backend files"
-	@echo " - test-e2e[\#TestSpecificName]     test end to end using playwright"
-	@echo " - update                           update js and py dependencies"
-	@echo " - update-js                        update js dependencies"
-	@echo " - update-py                        update py dependencies"
+	@echo " - test-remote-cacher               test backend files that use a remote cache"
+	@echo " - test-e2e-sqlite[\#name.test.e2e] test end to end using playwright and sqlite"
 	@echo " - webpack                          build webpack files"
 	@echo " - svg                              build svg files"
 	@echo " - fomantic                         build fomantic files"
@@ -251,14 +250,44 @@ help:
 	@echo " - generate-license                 update license files"
 	@echo " - generate-gitignore               update gitignore files"
 	@echo " - generate-manpage                 generate manpage"
+	@echo " - generate-gomock                  generate gomock files"
 	@echo " - generate-forgejo-api             generate the forgejo API from spec"
 	@echo " - forgejo-api-validate             check if the forgejo API matches the specs"
 	@echo " - generate-swagger                 generate the swagger spec from code comments"
 	@echo " - swagger-validate                 check if the swagger spec is valid"
 	@echo " - go-licenses                      regenerate go licenses"
 	@echo " - tidy                             run go mod tidy"
-	@echo " - test[\#TestSpecificName]    	    run unit test"
+	@echo " - test[\#TestSpecificName]         run unit test"
 	@echo " - test-sqlite[\#TestSpecificName]  run integration test for sqlite"
+	@echo " - reproduce-build\#version         build a reproducible binary for the specified release version"
+
+.PHONY: verify-version
+verify-version:
+ifeq ($(FORGEJO_VERSION),)
+	@echo "Error: Could not determine FORGEJO_VERSION; version file $(STORED_VERSION_FILE) not present and no suitable git tag found"
+	@echo 'In most cases this likely means you forgot to fetch git tags, you can fix this by executing `git fetch --tags`. If this is not possible and this is part of a custom build process, then you can set a specific version by writing it to $(STORED_VERSION_FILE) (This must be a semver compatible version).'
+	@false
+endif
+
+.PHONY: show-version-full
+show-version-full: verify-version
+	@echo ${FORGEJO_VERSION}
+
+.PHONY: show-version-major
+show-version-major: verify-version
+	@echo ${FORGEJO_VERSION_MAJOR}
+
+.PHONY: show-version-minor
+show-version-minor: verify-version
+	@echo ${FORGEJO_VERSION_MINOR}
+
+.PHONY: show-version-api
+show-version-api: verify-version
+	@echo ${FORGEJO_VERSION_API}
+
+###
+# Check system and environment requirements
+###
 
 .PHONY: go-check
 go-check:
@@ -266,14 +295,14 @@ go-check:
 	$(eval MIN_GO_VERSION := $(shell printf "%03d%03d" $(shell echo '$(MIN_GO_VERSION_STR)' | tr '.' ' ')))
 	$(eval GO_VERSION := $(shell printf "%03d%03d" $(shell $(GO) version | grep -Eo '[0-9]+\.[0-9]+' | tr '.' ' ');))
 	@if [ "$(GO_VERSION)" -lt "$(MIN_GO_VERSION)" ]; then \
-		echo "Gitea requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
+		echo "Forgejo requires Go $(MIN_GO_VERSION_STR) or greater to build. You can get it at https://go.dev/dl/"; \
 		exit 1; \
 	fi
 
 .PHONY: git-check
 git-check:
 	@if git lfs >/dev/null 2>&1 ; then : ; else \
-		echo "Gitea requires git with lfs support to run tests." ; \
+		echo "Forgejo requires git with lfs support to run tests." ; \
 		exit 1; \
 	fi
 
@@ -284,10 +313,14 @@ node-check:
 	$(eval NODE_VERSION := $(shell printf "%03d%03d%03d" $(shell node -v | cut -c2- | tr '.' ' ');))
 	$(eval NPM_MISSING := $(shell hash npm > /dev/null 2>&1 || echo 1))
 	@if [ "$(NODE_VERSION)" -lt "$(MIN_NODE_VERSION)" -o "$(NPM_MISSING)" = "1" ]; then \
-		echo "Gitea requires Node.js $(MIN_NODE_VERSION_STR) or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
+		echo "Forgejo requires Node.js $(MIN_NODE_VERSION_STR) or greater and npm to build. You can get it at https://nodejs.org/en/download/"; \
 		exit 1; \
 	fi
 
+###
+# Basic maintenance, check and lint targets
+###
+
 .PHONY: clean-all
 clean-all: clean
 	rm -rf $(WEBPACK_DEST_ENTRIES) node_modules
@@ -299,14 +332,14 @@ clean:
 		e2e*.test \
 		tests/integration/gitea-integration-* \
 		tests/integration/indexers-* \
-		tests/mysql.ini tests/pgsql.ini tests/mssql.ini man/ \
+		tests/mysql.ini tests/pgsql.ini man/ \
 		tests/e2e/gitea-e2e-*/ \
 		tests/e2e/indexers-*/ \
 		tests/e2e/reports/ tests/e2e/test-artifacts/ tests/e2e/test-snapshots/
 
 .PHONY: fmt
 fmt:
-	GOFUMPT_PACKAGE=$(GOFUMPT_PACKAGE) $(GO) run build/code-batch-process.go gitea-fmt -w '{file-list}'
+	@GOFUMPT_PACKAGE=$(GOFUMPT_PACKAGE) $(GO) run build/code-batch-process.go gitea-fmt -w '{file-list}'
 	$(eval TEMPLATES := $(shell find templates -type f -name '*.tmpl'))
 	@# strip whitespace after '{{' or '(' and before '}}' or ')' unless there is only
 	@# whitespace before it
@@ -354,6 +387,7 @@ $(SWAGGER_SPEC): $(GO_SOURCES_NO_BINDATA)
 	$(SED_INPLACE) '$(SWAGGER_SPEC_S_TMPL)' './$(SWAGGER_SPEC)'
 	$(SED_INPLACE) $(SWAGGER_NEWLINE_COMMAND) './$(SWAGGER_SPEC)'
 	$(SED_INPLACE) '$(SWAGGER_SPEC_BRANDING)' './$(SWAGGER_SPEC)'
+	$(SED_INPLACE) '$(SWAGGER_SPEC_LICENSE)' './$(SWAGGER_SPEC)'
 
 .PHONY: swagger-check
 swagger-check: generate-swagger
@@ -376,10 +410,10 @@ checks-frontend: lockfile-check svg-check
 checks-backend: tidy-check swagger-check fmt-check swagger-validate security-check
 
 .PHONY: lint
-lint: lint-frontend lint-backend lint-spell
+lint: lint-frontend lint-backend
 
 .PHONY: lint-fix
-lint-fix: lint-frontend-fix lint-backend-fix lint-spell-fix
+lint-fix: lint-frontend-fix lint-backend-fix
 
 .PHONY: lint-frontend
 lint-frontend: lint-js lint-css
@@ -388,18 +422,18 @@ lint-frontend: lint-js lint-css
 lint-frontend-fix: lint-js-fix lint-css-fix
 
 .PHONY: lint-backend
-lint-backend: lint-go lint-go-vet lint-editorconfig
+lint-backend: lint-go lint-go-vet lint-editorconfig lint-renovate lint-locale lint-locale-usage lint-disposable-emails
 
 .PHONY: lint-backend-fix
-lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig
+lint-backend-fix: lint-go-fix lint-go-vet lint-editorconfig lint-disposable-emails-fix
 
 .PHONY: lint-js
 lint-js: node_modules
-	npx eslint --color --max-warnings=0 --ext js,vue $(ESLINT_FILES)
+	npx eslint --color --max-warnings=0
 
 .PHONY: lint-js-fix
 lint-js-fix: node_modules
-	npx eslint --color --max-warnings=0 --ext js,vue $(ESLINT_FILES) --fix
+	npx eslint --color --max-warnings=0 --fix
 
 .PHONY: lint-css
 lint-css: node_modules
@@ -413,58 +447,67 @@ lint-css-fix: node_modules
 lint-swagger: node_modules
 	npx spectral lint -q -F hint $(SWAGGER_SPEC)
 
+.PHONY: lint-renovate
+lint-renovate: node_modules
+	npx --yes --package $(RENOVATE_NPM_PACKAGE) -- renovate-config-validator > .lint-renovate 2>&1 || true
+	@if grep --quiet --extended-regexp -e '^( ERROR:)' .lint-renovate ; then cat .lint-renovate ; rm .lint-renovate ; exit 1 ; fi
+	@rm .lint-renovate
+
+.PHONY: lint-locale
+lint-locale:
+	$(GO) run build/lint-locale/lint-locale.go
+
+.PHONY: lint-locale-usage
+lint-locale-usage:
+	$(GO) run build/lint-locale-usage/lint-locale-usage.go
+
 .PHONY: lint-md
 lint-md: node_modules
 	npx markdownlint docs *.md
 
-.PHONY: lint-spell
-lint-spell:
-	@go run $(MISSPELL_PACKAGE) -error $(SPELLCHECK_FILES)
-
-.PHONY: lint-spell-fix
-lint-spell-fix:
-	@go run $(MISSPELL_PACKAGE) -w $(SPELLCHECK_FILES)
+RUN_DEADCODE = $(GO) run $(DEADCODE_PACKAGE) -generated=false -f='{{println .Path}}{{range .Funcs}}{{printf "\t%s\n" .Name}}{{end}}{{println}}' -test forgejo.org
 
 .PHONY: lint-go
 lint-go:
 	$(GO) run $(GOLANGCI_LINT_PACKAGE) run $(GOLANGCI_LINT_ARGS)
-	$(GO) run $(DEADCODE_PACKAGE) -generated=false -test code.gitea.io/gitea > .cur-deadcode-out
+	$(RUN_DEADCODE) > .cur-deadcode-out
 	@$(DIFF) .deadcode-out .cur-deadcode-out \
 	|| (code=$$?; echo "Please run 'make lint-go-fix' and commit the result"; exit $${code})
 
 .PHONY: lint-go-fix
 lint-go-fix:
 	$(GO) run $(GOLANGCI_LINT_PACKAGE) run $(GOLANGCI_LINT_ARGS) --fix
-	$(GO) run $(DEADCODE_PACKAGE) -generated=false -test code.gitea.io/gitea > .deadcode-out
-
-# workaround step for the lint-go-windows CI task because 'go run' can not
-# have distinct GOOS/GOARCH for its build and run steps
-.PHONY: lint-go-windows
-lint-go-windows:
-	@GOOS= GOARCH= $(GO) install $(GOLANGCI_LINT_PACKAGE)
-	golangci-lint run
+	$(RUN_DEADCODE) > .deadcode-out
 
 .PHONY: lint-go-vet
 lint-go-vet:
 	@echo "Running go vet..."
-	@$(GO) vet $(GO_PACKAGES)
+	@$(GO) vet ./...
+
+.PHONY: lint-go-gopls
+lint-go-gopls:
+	@echo "Running gopls check..."
+	@GO=$(GO) GOPLS_PACKAGE=$(GOPLS_PACKAGE) tools/lint-go-gopls.sh $(GO_SOURCES_NO_BINDATA)
 
 .PHONY: lint-editorconfig
 lint-editorconfig:
 	$(GO) run $(EDITORCONFIG_CHECKER_PACKAGE) templates .forgejo/workflows
 
-.PHONY: lint-actions
-lint-actions:
-	$(GO) run $(ACTIONLINT_PACKAGE)
+.PHONY: lint-disposable-emails
+lint-disposable-emails:
+	$(GO) run build/generate-disposable-email.go -check -r $(DISPOSABLE_EMAILS_SHA)
 
-.PHONY: lint-templates
-lint-templates: .venv node_modules
-	@node tools/lint-templates-svg.js
-	@poetry run djlint $(shell find templates -type f -iname '*.tmpl')
+.PHONY: lint-disposable-emails-fix
+lint-disposable-emails-fix:
+	$(GO) run build/generate-disposable-email.go -r $(DISPOSABLE_EMAILS_SHA)
 
-.PHONY: lint-yaml
-lint-yaml: .venv
-	@poetry run yamllint .
+.PHONY: security-check
+security-check:
+	go run $(GOVULNCHECK_PACKAGE) -show color ./...
+
+###
+# Development and testing targets
+###
 
 .PHONY: watch
 watch:
@@ -485,12 +528,21 @@ test: test-frontend test-backend
 .PHONY: test-backend
 test-backend:
 	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_PACKAGES)
+
+.PHONY: test-remote-cacher
+test-remote-cacher:
+	@echo "Running go test with $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' $(GO_TEST_REMOTE_CACHER_PACKAGES)
 
 .PHONY: test-frontend
 test-frontend: node_modules
 	npx vitest
 
+.PHONY: test-frontend-coverage
+test-frontend-coverage: node_modules
+	npx vitest --coverage --coverage.include 'web_src/**'
+
 .PHONY: test-check
 test-check:
 	@echo "Running test-check...";
@@ -506,7 +558,7 @@ test-check:
 .PHONY: test\#%
 test\#%:
 	@echo "Running go test with -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
+	@$(GOTEST) $(GOTESTFLAGS) -tags='$(TEST_TAGS)' -run $(subst .,/,$*) $(GO_TEST_PACKAGES)
 
 .PHONY: coverage
 coverage:
@@ -517,7 +569,7 @@ coverage:
 .PHONY: unit-test-coverage
 unit-test-coverage:
 	@echo "Running unit-test-coverage $(GOTESTFLAGS) -tags '$(TEST_TAGS)'..."
-	@$(GO) test $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
+	@$(GOTEST) $(GOTESTFLAGS) -timeout=20m -tags='$(TEST_TAGS)' -cover -coverprofile coverage.out $(GO_TEST_PACKAGES) && echo "\n==>\033[32m Ok\033[m\n" || exit 1
 
 .PHONY: tidy
 tidy:
@@ -538,7 +590,7 @@ tidy-check: tidy
 go-licenses: $(GO_LICENSE_FILE)
 
 $(GO_LICENSE_FILE): go.mod go.sum
-	-$(GO) run $(GO_LICENSES_PACKAGE) save . --force --save_path=$(GO_LICENSE_TMP_DIR) 2>/dev/null
+	-$(GO) run $(GO_LICENSES_PACKAGE) save . --force --ignore forgejo.org --save_path=$(GO_LICENSE_TMP_DIR) 2>/dev/null
 	$(GO) run build/generate-go-licenses.go $(GO_LICENSE_TMP_DIR) $(GO_LICENSE_FILE)
 	@rm -rf $(GO_LICENSE_TMP_DIR)
 
@@ -550,11 +602,11 @@ generate-ini-sqlite:
 
 .PHONY: test-sqlite
 test-sqlite: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)
 
 .PHONY: test-sqlite\#%
 test-sqlite\#%: integrations.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.sqlite.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)
 
 .PHONY: test-sqlite-migration
 test-sqlite-migration:  migrations.sqlite.test migrations.individual.sqlite.test
@@ -571,11 +623,11 @@ generate-ini-mysql:
 
 .PHONY: test-mysql
 test-mysql: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX)
 
 .PHONY: test-mysql\#%
 test-mysql\#%: integrations.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)
 
 .PHONY: test-mysql-migration
 test-mysql-migration: migrations.mysql.test migrations.individual.mysql.test
@@ -589,40 +641,20 @@ generate-ini-pgsql:
 		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
 		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
 		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
+		-e 's|{{TEST_STORAGE_TYPE}}|$(or $(TEST_STORAGE_TYPE),minio)|g' \
 			tests/pgsql.ini.tmpl > tests/pgsql.ini
 
 .PHONY: test-pgsql
 test-pgsql: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX)
 
 .PHONY: test-pgsql\#%
 test-pgsql\#%: integrations.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.run $(subst .,/,$*)
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./integrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run $(subst .,/,$*)
 
 .PHONY: test-pgsql-migration
 test-pgsql-migration: migrations.pgsql.test migrations.individual.pgsql.test
 
-generate-ini-mssql:
-	sed -e 's|{{TEST_MSSQL_HOST}}|${TEST_MSSQL_HOST}|g' \
-		-e 's|{{TEST_MSSQL_DBNAME}}|${TEST_MSSQL_DBNAME}|g' \
-		-e 's|{{TEST_MSSQL_USERNAME}}|${TEST_MSSQL_USERNAME}|g' \
-		-e 's|{{TEST_MSSQL_PASSWORD}}|${TEST_MSSQL_PASSWORD}|g' \
-		-e 's|{{REPO_TEST_DIR}}|${REPO_TEST_DIR}|g' \
-		-e 's|{{TEST_LOGGER}}|$(or $(TEST_LOGGER),test$(COMMA)file)|g' \
-		-e 's|{{TEST_TYPE}}|$(or $(TEST_TYPE),integration)|g' \
-			tests/mssql.ini.tmpl > tests/mssql.ini
-
-.PHONY: test-mssql
-test-mssql: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test
-
-.PHONY: test-mssql\#%
-test-mssql\#%: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test -test.run $(subst .,/,$*)
-
-.PHONY: test-mssql-migration
-test-mssql-migration: migrations.mssql.test migrations.individual.mssql.test
-
 .PHONY: playwright
 playwright: deps-frontend
 	npx playwright install $(PLAYWRIGHT_FLAGS)
@@ -637,39 +669,34 @@ test-e2e: test-e2e-sqlite
 
 .PHONY: test-e2e-sqlite
 test-e2e-sqlite: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e
 
 .PHONY: test-e2e-sqlite\#%
 test-e2e-sqlite\#%: playwright e2e.sqlite.test generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
+
+.PHONY: test-e2e-sqlite-firefox\#%
+test-e2e-sqlite-firefox\#%: playwright e2e.sqlite.test generate-ini-sqlite
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini PLAYWRIGHT_PROJECT=firefox $(GOTESTCOMPILEDRUNPREFIX) ./e2e.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
 
 .PHONY: test-e2e-mysql
 test-e2e-mysql: playwright e2e.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e
 
 .PHONY: test-e2e-mysql\#%
 test-e2e-mysql\#%: playwright e2e.mysql.test generate-ini-mysql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./e2e.mysql.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.mysql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
 
 .PHONY: test-e2e-pgsql
 test-e2e-pgsql: playwright e2e.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test -test.run TestE2e
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e
 
 .PHONY: test-e2e-pgsql\#%
 test-e2e-pgsql\#%: playwright e2e.pgsql.test generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./e2e.pgsql.test -test.run TestE2e/$*
-
-.PHONY: test-e2e-mssql
-test-e2e-mssql: playwright e2e.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./e2e.mssql.test -test.run TestE2e
-
-.PHONY: test-e2e-mssql\#%
-test-e2e-mssql\#%: playwright e2e.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./e2e.mssql.test -test.run TestE2e/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./e2e.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX) -test.run TestE2e/$*
 
 .PHONY: test-e2e-debugserver
 test-e2e-debugserver: e2e.sqlite.test generate-ini-sqlite
-	sed -i s/3003/3000/g tests/sqlite.ini
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./e2e.sqlite.test -test.run TestDebugserver -test.timeout 24h
 
 .PHONY: bench-sqlite
@@ -680,10 +707,6 @@ bench-sqlite: integrations.sqlite.test generate-ini-sqlite
 bench-mysql: integrations.mysql.test generate-ini-mysql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./integrations.mysql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
 
-.PHONY: bench-mssql
-bench-mssql: integrations.mssql.test generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./integrations.mssql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
-
 .PHONY: bench-pgsql
 bench-pgsql: integrations.pgsql.test generate-ini-pgsql
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./integrations.pgsql.test -test.cpuprofile=cpu.out -test.run DontRunTests -test.bench .
@@ -697,102 +720,84 @@ integration-test-coverage-sqlite: integrations.cover.sqlite.test generate-ini-sq
 	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./integrations.cover.sqlite.test -test.coverprofile=integration.coverage.out
 
 integrations.mysql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.mysql.test
 
 integrations.pgsql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.pgsql.test
-
-integrations.mssql.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.mssql.test
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.pgsql.test
 
 integrations.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -o integrations.sqlite.test -tags '$(TEST_TAGS)'
 
 integrations.cover.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.test
 
 integrations.cover.sqlite.test: git-check $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration -coverpkg $(shell echo $(GO_TEST_PACKAGES) | tr ' ' ',') -o integrations.cover.sqlite.test -tags '$(TEST_TAGS)'
 
 .PHONY: migrations.mysql.test
 migrations.mysql.test: $(GO_SOURCES) generate-ini-mysql
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mysql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini ./migrations.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration/migration-test -o migrations.mysql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.mysql.test $(GOTESTCOMPILEDRUNSUFFIX)
 
 .PHONY: migrations.pgsql.test
 migrations.pgsql.test: $(GO_SOURCES) generate-ini-pgsql
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.pgsql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini ./migrations.pgsql.test
-
-.PHONY: migrations.mssql.test
-migrations.mssql.test: $(GO_SOURCES) generate-ini-mssql
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.mssql.test
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini ./migrations.mssql.test
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration/migration-test -o migrations.pgsql.test
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.pgsql.test $(GOTESTCOMPILEDRUNSUFFIX)
 
 .PHONY: migrations.sqlite.test
 migrations.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini ./migrations.sqlite.test
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/integration/migration-test -o migrations.sqlite.test -tags '$(TEST_TAGS)'
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTESTCOMPILEDRUNPREFIX) ./migrations.sqlite.test $(GOTESTCOMPILEDRUNSUFFIX)
 
 .PHONY: migrations.individual.mysql.test
 migrations.individual.mysql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mysql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
 
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*
 
 .PHONY: migrations.individual.pgsql.test
 migrations.individual.pgsql.test: $(GO_SOURCES)
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1;\
 	done
 
 .PHONY: migrations.individual.pgsql.test\#%
 migrations.individual.pgsql.test\#%: $(GO_SOURCES) generate-ini-pgsql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
-
-
-.PHONY: migrations.individual.mssql.test
-migrations.individual.mssql.test: $(GO_SOURCES) generate-ini-mssql
-	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' -test.failfast $$pkg || exit 1; \
-	done
-
-.PHONY: migrations.individual.mssql.test\#%
-migrations.individual.mssql.test\#%: $(GO_SOURCES) generate-ini-mssql
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/mssql.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/pgsql.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*
 
 .PHONY: migrations.individual.sqlite.test
 migrations.individual.sqlite.test: $(GO_SOURCES) generate-ini-sqlite
 	for pkg in $(MIGRATION_PACKAGES); do \
-		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
+		GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' $$pkg || exit 1; \
 	done
 
 .PHONY: migrations.individual.sqlite.test\#%
 migrations.individual.sqlite.test\#%: $(GO_SOURCES) generate-ini-sqlite
-	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GO) test $(GOTESTFLAGS) -tags '$(TEST_TAGS)' code.gitea.io/gitea/models/migrations/$*
+	GITEA_ROOT="$(CURDIR)" GITEA_CONF=tests/sqlite.ini $(GOTEST) $(GOTESTFLAGS) -tags '$(TEST_TAGS)' forgejo.org/models/migrations/$*
 
 e2e.mysql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mysql.test
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/e2e -o e2e.mysql.test
 
 e2e.pgsql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.pgsql.test
-
-e2e.mssql.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.mssql.test
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/e2e -o e2e.pgsql.test
 
 e2e.sqlite.test: $(GO_SOURCES)
-	$(GO) test $(GOTESTFLAGS) -c code.gitea.io/gitea/tests/e2e -o e2e.sqlite.test -tags '$(TEST_TAGS)'
+	$(GOTEST) $(GOTESTFLAGS) -c forgejo.org/tests/e2e -o e2e.sqlite.test -tags '$(TEST_TAGS)'
 
 .PHONY: check
 check: test
 
+###
+# Production / build targets
+###
+
 .PHONY: install $(TAGS_PREREQ)
-install: $(wildcard *.go)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)'
+install: $(wildcard *.go) | verify-version
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) install -v -tags '$(TAGS)' -ldflags '$(LDFLAGS)'
 
 .PHONY: build
 build: frontend backend
@@ -813,24 +818,20 @@ generate-backend: $(TAGS_PREREQ) generate-go
 .PHONY: generate-go
 generate-go: $(TAGS_PREREQ)
 	@echo "Running go generate..."
-	@CC= GOOS= GOARCH= $(GO) generate -tags '$(TAGS)' $(GO_PACKAGES)
+	@CC= GOOS= GOARCH= CGO_ENABLED=0 $(GO) generate -tags '$(TAGS)' ./...
 
 .PHONY: merge-locales
 merge-locales:
 	@echo "NOT NEEDED: THIS IS A NOOP AS OF Forgejo 7.0 BUT KEPT FOR BACKWARD COMPATIBILITY"
 
-.PHONY: security-check
-security-check:
-	go run $(GOVULNCHECK_PACKAGE) ./...
-
-$(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '-s -w $(LDFLAGS)' -o $@
+$(EXECUTABLE): $(GO_SOURCES) $(TAGS_PREREQ) | verify-version
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o $@
 
 forgejo: $(EXECUTABLE)
 	ln -f $(EXECUTABLE) forgejo
 
-static-executable: $(GO_SOURCES) $(TAGS_PREREQ)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-s -w -linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
+static-executable: $(GO_SOURCES) $(TAGS_PREREQ) | verify-version
+	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) build $(GOFLAGS) $(EXTRA_GOFLAGS) -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -o $(EXECUTABLE)
 
 .PHONY: release
 release: frontend generate release-linux release-copy release-compress vendor release-sources release-check
@@ -841,26 +842,19 @@ sources-tarbal: frontend generate vendor release-sources release-check
 $(DIST_DIRS):
 	mkdir -p $(DIST_DIRS)
 
-.PHONY: release-windows
-release-windows: | $(DIST_DIRS)
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION) .
-ifeq (,$(findstring gogit,$(TAGS)))
-	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -buildmode exe -dest $(DIST)/binaries -tags 'osusergo gogit $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets 'windows/*' -out gitea-$(VERSION)-gogit .
-endif
-
 .PHONY: release-linux
-release-linux: | $(DIST_DIRS)
+release-linux: | $(DIST_DIRS) verify-version
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '-linkmode external -extldflags "-static" $(LDFLAGS)' -targets '$(LINUX_ARCHS)' -out forgejo-$(VERSION) .
 ifeq ($(CI),true)
 	cp /build/* $(DIST)/binaries
 endif
 
 .PHONY: release-darwin
-release-darwin: | $(DIST_DIRS)
+release-darwin: | $(DIST_DIRS) verify-version
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'darwin-10.12/amd64,darwin-10.12/arm64' -out gitea-$(VERSION) .
 
 .PHONY: release-freebsd
-release-freebsd: | $(DIST_DIRS)
+release-freebsd: | $(DIST_DIRS) verify-version
 	CGO_CFLAGS="$(CGO_CFLAGS)" $(GO) run $(XGO_PACKAGE) -go $(XGO_VERSION) -dest $(DIST)/binaries -tags 'netgo osusergo $(TAGS)' -ldflags '$(LDFLAGS)' -targets 'freebsd/amd64' -out gitea-$(VERSION) .
 
 .PHONY: release-copy
@@ -889,11 +883,32 @@ release-sources: | $(DIST_DIRS)
 release-docs: | $(DIST_DIRS) docs
 	tar -czf $(DIST)/release/gitea-docs-$(VERSION).tar.gz -C ./docs .
 
-.PHONY: deps
-deps: deps-frontend deps-backend deps-tools deps-py
+.PHONY: reproduce-build
+reproduce-build:
+# Start building the Dockerfile with the RELEASE_VERSION tag set. GOPROXY is set
+# for convenience, because the default of the Dockerfile is `direct` which can be
+# quite slow.
+	@docker build --build-arg="RELEASE_VERSION=$(RELEASE_VERSION)" --build-arg="GOPROXY=$(shell $(GO) env GOPROXY)" --tag "forgejo-reproducibility" .
+	@id=$$(docker create forgejo-reproducibility); \
+	docker cp $$id:/app/gitea/gitea ./forgejo; \
+	docker rm -v $$id; \
+	docker image rm forgejo-reproducibility:latest
 
-.PHONY: deps-py
-deps-py: .venv
+.PHONY: reproduce-build\#%
+reproduce-build\#%:
+	@git switch -d "$*"
+# All the current variables are based on information before the git checkout happened.
+# Call the makefile again, so these variables are correct and can be used for building
+# a reproducible binary. Always execute git switch -, to go back to the previous branch.
+	@make reproduce-build; \
+	(code=$$?; git switch -; exit $${code})
+
+###
+# Dependency management
+###
+
+.PHONY: deps
+deps: deps-frontend deps-backend deps-tools
 
 .PHONY: deps-frontend
 deps-frontend: node_modules
@@ -914,31 +929,15 @@ deps-tools:
 	$(GO) install $(XGO_PACKAGE)
 	$(GO) install $(GO_LICENSES_PACKAGE)
 	$(GO) install $(GOVULNCHECK_PACKAGE)
-	$(GO) install $(ACTIONLINT_PACKAGE)
+	$(GO) install $(GOMOCK_PACKAGE)
+	$(GO) install $(GOPLS_PACKAGE)
 
 node_modules: package-lock.json
 	npm install --no-save
 	@touch node_modules
 
 .venv: poetry.lock
-	poetry install --no-root
-	@touch .venv
-
-.PHONY: update
-update: update-js update-py
-
-.PHONY: update-js
-update-js: node-check | node_modules
-	npx updates -u -f package.json
-	rm -rf node_modules package-lock.json
-	npm install --package-lock
-	@touch node_modules
-
-.PHONY: update-py
-update-py: node-check | node_modules
-	npx updates -u -f pyproject.toml
-	rm -rf .venv poetry.lock
-	poetry install --no-root
+	poetry install
 	@touch .venv
 
 .PHONY: fomantic
@@ -959,8 +958,9 @@ webpack: $(WEBPACK_DEST)
 
 $(WEBPACK_DEST): $(WEBPACK_SOURCES) $(WEBPACK_CONFIGS) package-lock.json
 	@$(MAKE) -s node-check node_modules
-	rm -rf $(WEBPACK_DEST_ENTRIES)
-	npx webpack
+	@rm -rf $(WEBPACK_DEST_ENTRIES)
+	@echo "Running webpack..."
+	@BROWSERSLIST_IGNORE_OLD_DATA=true npx webpack
 	@touch $(WEBPACK_DEST)
 
 .PHONY: svg
@@ -980,16 +980,6 @@ lockfile-check:
 	@git diff --exit-code --color=always package-lock.json \
 	|| (code=$$?; echo "Please run 'npm install --package-lock-only' and commit the result"; exit $${code})
 
-.PHONY: update-translations
-update-translations:
-	mkdir -p ./translations
-	cd ./translations && curl -L https://crowdin.com/download/project/gitea.zip > gitea.zip && unzip gitea.zip
-	rm ./translations/gitea.zip
-	$(SED_INPLACE) -e 's/="/=/g' -e 's/"$$//g' ./translations/*.ini
-	$(SED_INPLACE) -e 's/\\"/"/g' ./translations/*.ini
-	mv ./translations/*.ini ./options/locale/
-	rmdir ./translations
-
 .PHONY: generate-license
 generate-license:
 	$(GO) run build/generate-licenses.go
@@ -998,10 +988,13 @@ generate-license:
 generate-gitignore:
 	$(GO) run build/generate-gitignores.go
 
+.PHONY: generate-gomock
+generate-gomock:
+	$(GO) run $(GOMOCK_PACKAGE) -package mock -destination ./modules/queue/mock/redisuniversalclient.go forgejo.org/modules/nosql RedisClient
+
 .PHONY: generate-images
 generate-images: | node_modules
-	npm install --no-save fabric@6.0.0-beta20 imagemin-zopfli@7
-	node tools/generate-images.js $(TAGS)
+	node tools/generate-images.js
 
 .PHONY: generate-manpage
 generate-manpage:
@@ -1011,11 +1004,6 @@ generate-manpage:
 	@gzip -9 man/man1/gitea.1 && echo man/man1/gitea.1.gz created
 	@#TODO A small script that formats config-cheat-sheet.en-us.md nicely for use as a config man page
 
-.PHONY: docker
-docker:
-	docker build --disable-content-trust=false -t $(DOCKER_REF) .
-# support also build args docker build --build-arg GITEA_VERSION=v1.2.3 --build-arg TAGS="bindata sqlite sqlite_unlock_notify"  .
-
 # This endif closes the if at the top of the file
 endif
 

README.md

@@ -15,11 +15,6 @@ Our promise: **Independent Free/Libre Software forever!**
 
 ## What does Forgejo offer?
 
-<!-- If you want to know what Forgejo is like,
-you can check out public instances,
-e.g. [Codeberg.org](https://codeberg.org).
--->
-
 If you like any of the following, Forgejo is literally meant for you:
 
 - Lightweight: Forgejo can easily be hosted on nearly **every machine**.
@@ -40,6 +35,11 @@ If you like any of the following, Forgejo is literally meant for you:
 
 Dive into the [documentation](https://forgejo.org/docs/latest/), subscribe to releases and blog post on [our website](https://forgejo.org), <a href="https://floss.social/@forgejo" rel="me">find us on the Fediverse</a> or hop into [our Matrix room](https://matrix.to/#/#forgejo-chat:matrix.org) if you have any questions or want to get involved.
 
+## License
+
+Forgejo is distributed under the terms of the [GPL version 3.0](LICENSE) or any later version.
+
+The agreement for this license [was documented in June 2023](https://codeberg.org/forgejo/governance/pulls/24) and implemented during the development of Forgejo v9.0. All Forgejo versions before v9.0 are distributed under the MIT license.
 
 ## Get involved
 

build.go

@@ -11,13 +11,4 @@ package main
 import (
 	// for embed
 	_ "github.com/shurcooL/vfsgen"
-
-	// for cover merge
-	_ "golang.org/x/tools/cover"
-
-	// for vet
-	_ "code.gitea.io/gitea-vet"
-
-	// for swagger
-	_ "github.com/go-swagger/go-swagger/cmd/swagger"
 )

build/backport-locales.go

@@ -12,14 +12,14 @@ import (
 	"path/filepath"
 	"strings"
 
-	"code.gitea.io/gitea/modules/container"
-	"code.gitea.io/gitea/modules/setting"
+	"forgejo.org/modules/container"
+	"forgejo.org/modules/setting"
 )
 
 func main() {
 	if len(os.Args) != 2 {
-		println("usage: backport-locales <to-ref>")
-		println("eg: backport-locales release/v1.19")
+		fmt.Println("usage: backport-locales <to-ref>")
+		fmt.Println("eg: backport-locales release/v1.19")
 		os.Exit(1)
 	}
 

build/code-batch-process.go

@@ -15,7 +15,7 @@ import (
 	"strconv"
 	"strings"
 
-	"code.gitea.io/gitea/build/codeformat"
+	"forgejo.org/build/codeformat"
 )
 
 // Windows has a limitation for command line arguments, the size can not exceed 32KB.
@@ -69,6 +69,7 @@ func newFileCollector(fileFilter string, batchSize int) (*fileCollector, error)
 		co.includePatterns = append(co.includePatterns, regexp.MustCompile(`.*\.go$`))
 
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`.*\bbindata\.go$`))
+		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`\.pb\.go$`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`tests/gitea-repositories-meta`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`tests/integration/migration-test`))
 		co.excludePatterns = append(co.excludePatterns, regexp.MustCompile(`modules/git/tests`))
@@ -203,17 +204,6 @@ Example:
 `, "file-batch-exec")
 }
 
-func getGoVersion() string {
-	goModFile, err := os.ReadFile("go.mod")
-	if err != nil {
-		log.Fatalf(`Faild to read "go.mod": %v`, err)
-		os.Exit(1)
-	}
-	goModVersionRegex := regexp.MustCompile(`go \d+\.\d+`)
-	goModVersionLine := goModVersionRegex.Find(goModFile)
-	return string(goModVersionLine[3:])
-}
-
 func newFileCollectorFromMainOptions(mainOptions map[string]string) (fc *fileCollector, err error) {
 	fileFilter := mainOptions["file-filter"]
 	if fileFilter == "" {
@@ -278,7 +268,8 @@ func main() {
 				log.Print("the -d option is not supported by gitea-fmt")
 			}
 			cmdErrors = append(cmdErrors, giteaFormatGoImports(files, containsString(subArgs, "-w")))
-			cmdErrors = append(cmdErrors, passThroughCmd("go", append([]string{"run", os.Getenv("GOFUMPT_PACKAGE"), "-extra", "-lang", getGoVersion()}, substArgs...)))
+			cmdErrors = append(cmdErrors, passThroughCmd("gofmt", append([]string{"-w", "-r", "interface{} -> any"}, substArgs...)))
+			cmdErrors = append(cmdErrors, passThroughCmd("go", append([]string{"run", os.Getenv("GOFUMPT_PACKAGE"), "-extra"}, substArgs...)))
 		default:
 			log.Fatalf("unknown cmd: %s %v", subCmd, subArgs)
 		}

build/codeformat/formatimports.go

@@ -13,8 +13,8 @@ import (
 )
 
 var importPackageGroupOrders = map[string]int{
-	"":                     1, // internal
-	"code.gitea.io/gitea/": 2,
+	"":             1, // internal
+	"forgejo.org/": 2,
 }
 
 var errInvalidCommentBetweenImports = errors.New("comments between imported packages are invalid, please move comments to the end of the package line")

build/codeformat/formatimports_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestFormatImportsSimple(t *testing.T) {
@@ -29,7 +30,7 @@ import (
 )
 `
 
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, expected, string(formatted))
 }
 
@@ -57,8 +58,8 @@ import (
 
 	"code.gitea.io/other/package"
 
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/util"
 
   "xorm.io/the/package"
 
@@ -81,8 +82,8 @@ import (
 	_ "image/jpeg" // for processing jpeg images
 	_ "image/png"  // for processing png images
 
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/util"
 
 	"code.gitea.io/other/package"
 	"github.com/issue9/identicon"
@@ -92,7 +93,7 @@ import (
 )
 `
 
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	assert.Equal(t, expected, string(formatted))
 }
 
@@ -120,5 +121,5 @@ import (
 	"image/gif"
 )
 `))
-	assert.ErrorIs(t, err, errInvalidCommentBetweenImports)
+	require.ErrorIs(t, err, errInvalidCommentBetweenImports)
 }

build/generate-disposable-email.go

@@ -0,0 +1,203 @@
+// Copyright 2024 James Hatfield
+// SPDX-License-Identifier: MIT
+
+//go:build ignore
+
+package main
+
+import (
+	"bufio"
+	"bytes"
+	"crypto"
+	"flag"
+	"fmt"
+	"go/format"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"regexp"
+	"strings"
+)
+
+const disposableEmailListURL string = "https://raw.githubusercontent.com/disposable-email-domains/disposable-email-domains/%s/disposable_email_blocklist.conf"
+
+var (
+	gitRef *string = flag.String("r", "master", "Git reference of the domain list version")
+	outPat *string = flag.String("o", "modules/setting/disposable_email_domain_data.go", "Output path")
+	check  *bool   = flag.Bool("check", false, "Check if the current output file matches the current upstream list")
+)
+
+func main() {
+	flag.Parse()
+
+	if *check {
+		// read in the local copy of the domain list
+		local, err := get_local_file()
+		if err != nil {
+			log.Fatalf("File Read Error: %v", err)
+		}
+
+		// generate the remote copy of the domain list
+		remote, err := generate()
+		if err != nil {
+			log.Fatalf("Generation Error: %v", err)
+		}
+
+		// strip the comments from both (so we dont fail simply due to git ref difference)
+		local = strip_comments(local)
+		remote = strip_comments(remote)
+
+		// generate the hash of the local copy
+		local_sha, err := hash(local)
+		if err != nil {
+			log.Fatalf("Local Hash Generation Error: %v", err)
+		}
+
+		// generate the hash of the remote copy
+		remote_sha, err := hash(remote)
+		if err != nil {
+			log.Fatalf("Remote Hash Generation Error: %v", err)
+		}
+
+		// if the hashes dont match then the local copy needs to be updated
+		if local_sha != remote_sha {
+			log.Fatalf("Disposable email domain list needs to be updated!! \"make lint-disposable-emails-fix\"")
+		}
+	} else {
+		// generate the source code (array of domains)
+		res, err := generate()
+		if err != nil {
+			log.Fatalf("Generation Error: %v", err)
+		}
+
+		// write result to a file
+		err = os.WriteFile(*outPat, res, 0o644)
+		if err != nil {
+			log.Fatalf("File Write Error: %v", err)
+		}
+	}
+}
+
+func strip_comments(data []byte) []byte {
+	result := make([]byte, 0, len(data))
+
+	re := regexp.MustCompile(`^\W*//.*$`)
+
+	for _, line := range bytes.Split(data, []byte("\n")) {
+		if !re.Match(line) {
+			result = append(result, line...)
+		}
+	}
+
+	return result
+}
+
+func hash(data []byte) (string, error) {
+	var err error
+
+	hash := crypto.SHA3_256.New()
+
+	_, err = hash.Write(data)
+	if err != nil {
+		return "", err
+	}
+
+	return fmt.Sprintf("%x", hash.Sum(nil)), err
+}
+
+func get_local_file() ([]byte, error) {
+	var err error
+
+	f, err := os.Open(*outPat)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	data, err := io.ReadAll(f)
+	if err != nil {
+		return nil, err
+	}
+
+	return data, err
+}
+
+func get_remote() ([]string, error) {
+	var err error
+	var url string = fmt.Sprintf(disposableEmailListURL, *gitRef)
+
+	// download the domain list
+	res, err := http.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	defer res.Body.Close()
+
+	body, err := io.ReadAll(res.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	// go through all entries (1 domain per line)
+	scanner := bufio.NewScanner(bytes.NewReader(body))
+
+	var arrDomains []string
+	for scanner.Scan() {
+		line := scanner.Text()
+		arrDomains = append(arrDomains, line)
+	}
+
+	return arrDomains, err
+}
+
+func generate() ([]byte, error) {
+	var err error
+	var url string = fmt.Sprintf(disposableEmailListURL, *gitRef)
+
+	// download the domains list
+	arrDomains, err := get_remote()
+	if err != nil {
+		return nil, err
+	}
+
+	// build the string in a readable way
+	var sb strings.Builder
+
+	_, err = sb.WriteString("[]string{\n")
+	if err != nil {
+		return nil, err
+	}
+
+	for _, item := range arrDomains {
+		_, err = sb.WriteString(fmt.Sprintf("\t%q,\n", item))
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	_, err = sb.WriteString("}")
+	if err != nil {
+		return nil, err
+	}
+
+	// insert the values into file
+	final := fmt.Sprintf(hdr, url, sb.String())
+
+	return format.Source([]byte(final))
+}
+
+const hdr = `
+// Copyright 2024 James Hatfield
+// SPDX-License-Identifier: MIT
+//
+// Code generated by build/generate-disposable-email.go. DO NOT EDIT
+// Sourced from %s
+package setting
+
+import "sync"
+
+var DisposableEmailDomains = sync.OnceValue(func() []string {
+		return %s
+})
+`

build/generate-emoji.go

@@ -20,7 +20,7 @@ import (
 	"strings"
 	"unicode/utf8"
 
-	"code.gitea.io/gitea/modules/json"
+	"forgejo.org/modules/json"
 )
 
 const (
@@ -53,8 +53,6 @@ func (e Emoji) MarshalJSON() ([]byte, error) {
 }
 
 func main() {
-	var err error
-
 	flag.Parse()
 
 	// generate data
@@ -83,8 +81,6 @@ var replacer = strings.NewReplacer(
 var emojiRE = regexp.MustCompile(`\{Emoji:"([^"]*)"`)
 
 func generate() ([]byte, error) {
-	var err error
-
 	// load gemoji data
 	res, err := http.Get(gemojiURL)
 	if err != nil {
@@ -142,7 +138,7 @@ func generate() ([]byte, error) {
 		}
 	}
 
-	// gitea customizations
+	// Forgejo customizations
 	i, ok := aliasMap["tada"]
 	if ok {
 		data[i].Aliases = append(data[i].Aliases, "hooray")

build/generate-gitignores.go

@@ -15,7 +15,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"code.gitea.io/gitea/modules/util"
+	"forgejo.org/modules/util"
 )
 
 func main() {

build/generate-go-licenses.go

@@ -16,7 +16,7 @@ import (
 	"sort"
 	"strings"
 
-	"code.gitea.io/gitea/modules/container"
+	"forgejo.org/modules/container"
 )
 
 // regexp is based on go-license, excluding README and NOTICE
@@ -77,6 +77,20 @@ func main() {
 	sort.Strings(paths)
 
 	var entries []LicenseEntry
+
+	{
+		licenseText, err := os.ReadFile("LICENSE")
+		if err != nil {
+			panic(err)
+		}
+
+		entries = append(entries, LicenseEntry{
+			Name:        "codeberg.org/forgejo/forgejo",
+			Path:        "codeberg.org/forgejo/forgejo/GPL-3.0-or-later",
+			LicenseText: string(licenseText),
+		})
+	}
+
 	for _, filePath := range paths {
 		licenseText, err := os.ReadFile(filePath)
 		if err != nil {
@@ -88,9 +102,9 @@ func main() {
 		pkgName := path.Dir(pkgPath)
 
 		// There might be a bug somewhere in go-licenses that sometimes interprets the
-		// root package as "." and sometimes as "code.gitea.io/gitea". Workaround by
+		// root package as "." and sometimes as "forgejo.org". Workaround by
 		// removing both of them for the sake of stable output.
-		if pkgName == "." || pkgName == "code.gitea.io/gitea" {
+		if pkgName == "." || pkgName == "forgejo.org" {
 			continue
 		}
 

build/generate-licenses.go

@@ -15,7 +15,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"code.gitea.io/gitea/modules/util"
+	"forgejo.org/modules/util"
 )
 
 func main() {

build/gocovmerge.go

@@ -1,118 +0,0 @@
-// Copyright 2020 The Gitea Authors. All rights reserved.
-// Copyright (c) 2015, Wade Simmons
-// SPDX-License-Identifier: MIT
-
-// gocovmerge takes the results from multiple `go test -coverprofile` runs and
-// merges them into one profile
-
-//go:build ignore
-
-package main
-
-import (
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"os"
-	"sort"
-
-	"golang.org/x/tools/cover"
-)
-
-func mergeProfiles(p, merge *cover.Profile) {
-	if p.Mode != merge.Mode {
-		log.Fatalf("cannot merge profiles with different modes")
-	}
-	// Since the blocks are sorted, we can keep track of where the last block
-	// was inserted and only look at the blocks after that as targets for merge
-	startIndex := 0
-	for _, b := range merge.Blocks {
-		startIndex = mergeProfileBlock(p, b, startIndex)
-	}
-}
-
-func mergeProfileBlock(p *cover.Profile, pb cover.ProfileBlock, startIndex int) int {
-	sortFunc := func(i int) bool {
-		pi := p.Blocks[i+startIndex]
-		return pi.StartLine >= pb.StartLine && (pi.StartLine != pb.StartLine || pi.StartCol >= pb.StartCol)
-	}
-
-	i := 0
-	if sortFunc(i) != true {
-		i = sort.Search(len(p.Blocks)-startIndex, sortFunc)
-	}
-	i += startIndex
-	if i < len(p.Blocks) && p.Blocks[i].StartLine == pb.StartLine && p.Blocks[i].StartCol == pb.StartCol {
-		if p.Blocks[i].EndLine != pb.EndLine || p.Blocks[i].EndCol != pb.EndCol {
-			log.Fatalf("OVERLAP MERGE: %v %v %v", p.FileName, p.Blocks[i], pb)
-		}
-		switch p.Mode {
-		case "set":
-			p.Blocks[i].Count |= pb.Count
-		case "count", "atomic":
-			p.Blocks[i].Count += pb.Count
-		default:
-			log.Fatalf("unsupported covermode: '%s'", p.Mode)
-		}
-	} else {
-		if i > 0 {
-			pa := p.Blocks[i-1]
-			if pa.EndLine >= pb.EndLine && (pa.EndLine != pb.EndLine || pa.EndCol > pb.EndCol) {
-				log.Fatalf("OVERLAP BEFORE: %v %v %v", p.FileName, pa, pb)
-			}
-		}
-		if i < len(p.Blocks)-1 {
-			pa := p.Blocks[i+1]
-			if pa.StartLine <= pb.StartLine && (pa.StartLine != pb.StartLine || pa.StartCol < pb.StartCol) {
-				log.Fatalf("OVERLAP AFTER: %v %v %v", p.FileName, pa, pb)
-			}
-		}
-		p.Blocks = append(p.Blocks, cover.ProfileBlock{})
-		copy(p.Blocks[i+1:], p.Blocks[i:])
-		p.Blocks[i] = pb
-	}
-	return i + 1
-}
-
-func addProfile(profiles []*cover.Profile, p *cover.Profile) []*cover.Profile {
-	i := sort.Search(len(profiles), func(i int) bool { return profiles[i].FileName >= p.FileName })
-	if i < len(profiles) && profiles[i].FileName == p.FileName {
-		mergeProfiles(profiles[i], p)
-	} else {
-		profiles = append(profiles, nil)
-		copy(profiles[i+1:], profiles[i:])
-		profiles[i] = p
-	}
-	return profiles
-}
-
-func dumpProfiles(profiles []*cover.Profile, out io.Writer) {
-	if len(profiles) == 0 {
-		return
-	}
-	fmt.Fprintf(out, "mode: %s\n", profiles[0].Mode)
-	for _, p := range profiles {
-		for _, b := range p.Blocks {
-			fmt.Fprintf(out, "%s:%d.%d,%d.%d %d %d\n", p.FileName, b.StartLine, b.StartCol, b.EndLine, b.EndCol, b.NumStmt, b.Count)
-		}
-	}
-}
-
-func main() {
-	flag.Parse()
-
-	var merged []*cover.Profile
-
-	for _, file := range flag.Args() {
-		profiles, err := cover.ParseProfiles(file)
-		if err != nil {
-			log.Fatalf("failed to parse profile '%s': %v", file, err)
-		}
-		for _, p := range profiles {
-			merged = addProfile(merged, p)
-		}
-	}
-
-	dumpProfiles(merged, os.Stdout)
-}

build/lint-locale-usage/lint-locale-usage.go

@@ -0,0 +1,383 @@
+// Copyright 2023 The Gitea Authors. All rights reserved.
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package main
+
+import (
+	"fmt"
+	"go/ast"
+	goParser "go/parser"
+	"go/token"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"text/template"
+	tmplParser "text/template/parse"
+
+	"forgejo.org/modules/container"
+	fjTemplates "forgejo.org/modules/templates"
+	"forgejo.org/modules/translation/localeiter"
+	"forgejo.org/modules/util"
+)
+
+// this works by first gathering all valid source string IDs from `en-US` reference files
+// and then checking if all used source strings are actually defined
+
+type LocatedError struct {
+	Location string
+	Kind     string
+	Err      error
+}
+
+func (e LocatedError) Error() string {
+	var sb strings.Builder
+
+	sb.WriteString(e.Location)
+	sb.WriteString(":\t")
+	if e.Kind != "" {
+		sb.WriteString(e.Kind)
+		sb.WriteString(": ")
+	}
+	sb.WriteString("ERROR: ")
+	sb.WriteString(e.Err.Error())
+
+	return sb.String()
+}
+
+func InitLocaleTrFunctions() map[string][]uint {
+	ret := make(map[string][]uint)
+
+	f0 := []uint{0}
+	ret["Tr"] = f0
+	ret["TrString"] = f0
+	ret["TrHTML"] = f0
+
+	ret["TrPluralString"] = []uint{1}
+	ret["TrN"] = []uint{1, 2}
+
+	return ret
+}
+
+type Handler struct {
+	OnMsgid            func(fset *token.FileSet, pos token.Pos, msgid string)
+	OnUnexpectedInvoke func(fset *token.FileSet, pos token.Pos, funcname string, argc int)
+	LocaleTrFunctions  map[string][]uint
+}
+
+// the `Handle*File` functions follow the following calling convention:
+// * `fname` is the name of the input file
+// * `src` is either `nil` (then the function invokes `ReadFile` to read the file)
+//   or the contents of the file as {`[]byte`, or a `string`}
+
+func (handler Handler) HandleGoFile(fname string, src any) error {
+	fset := token.NewFileSet()
+	node, err := goParser.ParseFile(fset, fname, src, goParser.SkipObjectResolution)
+	if err != nil {
+		return LocatedError{
+			Location: fname,
+			Kind:     "Go parser",
+			Err:      err,
+		}
+	}
+
+	ast.Inspect(node, func(n ast.Node) bool {
+		// search for function calls of the form `anything.Tr(any-string-lit, ...)`
+
+		call, ok := n.(*ast.CallExpr)
+		if !ok || len(call.Args) < 1 {
+			return true
+		}
+
+		funSel, ok := call.Fun.(*ast.SelectorExpr)
+		if !ok {
+			return true
+		}
+
+		ltf, ok := handler.LocaleTrFunctions[funSel.Sel.Name]
+		if !ok {
+			return true
+		}
+
+		var gotUnexpectedInvoke *int
+
+		for _, argNum := range ltf {
+			if len(call.Args) >= int(argNum+1) {
+				argLit, ok := call.Args[int(argNum)].(*ast.BasicLit)
+				if !ok || argLit.Kind != token.STRING {
+					continue
+				}
+
+				// extract string content
+				arg, err := strconv.Unquote(argLit.Value)
+				if err == nil {
+					// found interesting strings
+					handler.OnMsgid(fset, argLit.ValuePos, arg)
+				}
+			} else {
+				argc := len(call.Args)
+				gotUnexpectedInvoke = &argc
+			}
+		}
+
+		if gotUnexpectedInvoke != nil {
+			handler.OnUnexpectedInvoke(fset, funSel.Sel.NamePos, funSel.Sel.Name, *gotUnexpectedInvoke)
+		}
+
+		return true
+	})
+
+	return nil
+}
+
+// derived from source: modules/templates/scopedtmpl/scopedtmpl.go, L169-L213
+func (handler Handler) handleTemplateNode(fset *token.FileSet, node tmplParser.Node) {
+	switch node.Type() {
+	case tmplParser.NodeAction:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.ActionNode).Pipe)
+	case tmplParser.NodeList:
+		nodeList := node.(*tmplParser.ListNode)
+		handler.handleTemplateFileNodes(fset, nodeList.Nodes)
+	case tmplParser.NodePipe:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.PipeNode))
+	case tmplParser.NodeTemplate:
+		handler.handleTemplatePipeNode(fset, node.(*tmplParser.TemplateNode).Pipe)
+	case tmplParser.NodeIf:
+		nodeIf := node.(*tmplParser.IfNode)
+		handler.handleTemplateBranchNode(fset, nodeIf.BranchNode)
+	case tmplParser.NodeRange:
+		nodeRange := node.(*tmplParser.RangeNode)
+		handler.handleTemplateBranchNode(fset, nodeRange.BranchNode)
+	case tmplParser.NodeWith:
+		nodeWith := node.(*tmplParser.WithNode)
+		handler.handleTemplateBranchNode(fset, nodeWith.BranchNode)
+
+	case tmplParser.NodeCommand:
+		nodeCommand := node.(*tmplParser.CommandNode)
+
+		handler.handleTemplateFileNodes(fset, nodeCommand.Args)
+
+		if len(nodeCommand.Args) < 2 {
+			return
+		}
+
+		nodeChain, ok := nodeCommand.Args[0].(*tmplParser.ChainNode)
+		if !ok {
+			return
+		}
+
+		nodeIdent, ok := nodeChain.Node.(*tmplParser.IdentifierNode)
+		if !ok || nodeIdent.Ident != "ctx" || len(nodeChain.Field) != 2 || nodeChain.Field[0] != "Locale" {
+			return
+		}
+
+		ltf, ok := handler.LocaleTrFunctions[nodeChain.Field[1]]
+		if !ok {
+			return
+		}
+
+		var gotUnexpectedInvoke *int
+
+		for _, argNum := range ltf {
+			if len(nodeCommand.Args) >= int(argNum+2) {
+				nodeString, ok := nodeCommand.Args[int(argNum+1)].(*tmplParser.StringNode)
+				if ok {
+					// found interesting strings
+					// the column numbers are a bit "off", but much better than nothing
+					handler.OnMsgid(fset, token.Pos(nodeString.Pos), nodeString.Text)
+				}
+			} else {
+				argc := len(nodeCommand.Args) - 1
+				gotUnexpectedInvoke = &argc
+			}
+		}
+
+		if gotUnexpectedInvoke != nil {
+			handler.OnUnexpectedInvoke(fset, token.Pos(nodeChain.Pos), nodeChain.Field[1], *gotUnexpectedInvoke)
+		}
+
+	default:
+	}
+}
+
+func (handler Handler) handleTemplatePipeNode(fset *token.FileSet, pipeNode *tmplParser.PipeNode) {
+	if pipeNode == nil {
+		return
+	}
+
+	// NOTE: we can't pass `pipeNode.Cmds` to handleTemplateFileNodes due to incompatible argument types
+	for _, node := range pipeNode.Cmds {
+		handler.handleTemplateNode(fset, node)
+	}
+}
+
+func (handler Handler) handleTemplateBranchNode(fset *token.FileSet, branchNode tmplParser.BranchNode) {
+	handler.handleTemplatePipeNode(fset, branchNode.Pipe)
+	handler.handleTemplateFileNodes(fset, branchNode.List.Nodes)
+	if branchNode.ElseList != nil {
+		handler.handleTemplateFileNodes(fset, branchNode.ElseList.Nodes)
+	}
+}
+
+func (handler Handler) handleTemplateFileNodes(fset *token.FileSet, nodes []tmplParser.Node) {
+	for _, node := range nodes {
+		handler.handleTemplateNode(fset, node)
+	}
+}
+
+func (handler Handler) HandleTemplateFile(fname string, src any) error {
+	var tmplContent []byte
+	switch src2 := src.(type) {
+	case nil:
+		var err error
+		tmplContent, err = os.ReadFile(fname)
+		if err != nil {
+			return LocatedError{
+				Location: fname,
+				Kind:     "ReadFile",
+				Err:      err,
+			}
+		}
+	case []byte:
+		tmplContent = src2
+	case string:
+		// SAFETY: we do not modify tmplContent below
+		tmplContent = util.UnsafeStringToBytes(src2)
+	default:
+		panic("invalid type for 'src'")
+	}
+
+	fset := token.NewFileSet()
+	fset.AddFile(fname, 1, len(tmplContent)).SetLinesForContent(tmplContent)
+	// SAFETY: we do not modify tmplContent2 below
+	tmplContent2 := util.UnsafeBytesToString(tmplContent)
+
+	tmpl := template.New(fname)
+	tmpl.Funcs(fjTemplates.NewFuncMap())
+	tmplParsed, err := tmpl.Parse(tmplContent2)
+	if err != nil {
+		return LocatedError{
+			Location: fname,
+			Kind:     "Template parser",
+			Err:      err,
+		}
+	}
+	handler.handleTemplateFileNodes(fset, tmplParsed.Root.Nodes)
+	return nil
+}
+
+// This command assumes that we get started from the project root directory
+//
+// Possible command line flags:
+//
+//	--allow-missing-msgids        don't return an error code if missing message IDs are found
+//
+// EXIT CODES:
+//
+//	0  success, no issues found
+//	1  unable to walk directory tree
+//	2  unable to parse locale ini/json files
+//	3  unable to parse go or text/template files
+//	4  found missing message IDs
+//
+//nolint:forbidigo
+func main() {
+	allowMissingMsgids := false
+	for _, arg := range os.Args[1:] {
+		if arg == "--allow-missing-msgids" {
+			allowMissingMsgids = true
+		}
+	}
+
+	onError := func(err error) {
+		if err == nil {
+			return
+		}
+		fmt.Println(err.Error())
+		os.Exit(3)
+	}
+
+	msgids := make(container.Set[string])
+
+	localeFile := filepath.Join(filepath.Join("options", "locale"), "locale_en-US.ini")
+	localeContent, err := os.ReadFile(localeFile)
+	if err != nil {
+		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
+		os.Exit(2)
+	}
+
+	if err = localeiter.IterateMessagesContent(localeContent, func(trKey, trValue string) error {
+		msgids[trKey] = struct{}{}
+		return nil
+	}); err != nil {
+		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
+		os.Exit(2)
+	}
+
+	localeFile = filepath.Join(filepath.Join("options", "locale_next"), "locale_en-US.json")
+	localeContent, err = os.ReadFile(localeFile)
+	if err != nil {
+		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
+		os.Exit(2)
+	}
+
+	if err := localeiter.IterateMessagesNextContent(localeContent, func(trKey, pluralForm, trValue string) error {
+		// ignore plural form
+		msgids[trKey] = struct{}{}
+		return nil
+	}); err != nil {
+		fmt.Printf("%s:\tERROR: %s\n", localeFile, err.Error())
+		os.Exit(2)
+	}
+
+	gotAnyMsgidError := false
+
+	handler := Handler{
+		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string) {
+			if !msgids.Contains(msgid) {
+				gotAnyMsgidError = true
+				fmt.Printf("%s:\tmissing msgid: %s\n", fset.Position(pos).String(), msgid)
+			}
+		},
+		OnUnexpectedInvoke: func(fset *token.FileSet, pos token.Pos, funcname string, argc int) {
+			gotAnyMsgidError = true
+			fmt.Printf("%s:\tunexpected invocation of %s with %d arguments\n", fset.Position(pos).String(), funcname, argc)
+		},
+		LocaleTrFunctions: InitLocaleTrFunctions(),
+	}
+
+	if err := filepath.WalkDir(".", func(fpath string, d fs.DirEntry, err error) error {
+		if err != nil {
+			if os.IsNotExist(err) {
+				return nil
+			}
+			return err
+		}
+		name := d.Name()
+		if d.IsDir() {
+			if name == "docker" || name == ".git" || name == "node_modules" {
+				return fs.SkipDir
+			}
+		} else if name == "bindata.go" || fpath == "modules/translation/i18n/i18n_test.go" {
+			// skip false positives
+		} else if strings.HasSuffix(name, ".go") {
+			onError(handler.HandleGoFile(fpath, nil))
+		} else if strings.HasSuffix(name, ".tmpl") {
+			if strings.HasPrefix(fpath, "tests") && strings.HasSuffix(name, ".ini.tmpl") {
+				// skip false positives
+			} else {
+				onError(handler.HandleTemplateFile(fpath, nil))
+			}
+		}
+		return nil
+	}); err != nil {
+		fmt.Printf("walkdir ERROR: %s\n", err.Error())
+		os.Exit(1)
+	}
+
+	if !allowMissingMsgids && gotAnyMsgidError {
+		os.Exit(4)
+	}
+}

build/lint-locale-usage/lint-locale-usage_test.go

@@ -0,0 +1,50 @@
+// Copyright 2025 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package main
+
+import (
+	"go/token"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func buildHandler(ret *[]string) Handler {
+	return Handler{
+		OnMsgid: func(fset *token.FileSet, pos token.Pos, msgid string) {
+			*ret = append(*ret, msgid)
+		},
+		OnUnexpectedInvoke: func(fset *token.FileSet, pos token.Pos, funcname string, argc int) {},
+		LocaleTrFunctions:  InitLocaleTrFunctions(),
+	}
+}
+
+func HandleGoFileWrapped(t *testing.T, fname, src string) []string {
+	var ret []string
+	handler := buildHandler(&ret)
+	require.NoError(t, handler.HandleGoFile(fname, src))
+	return ret
+}
+
+func HandleTemplateFileWrapped(t *testing.T, fname, src string) []string {
+	var ret []string
+	handler := buildHandler(&ret)
+	require.NoError(t, handler.HandleTemplateFile(fname, src))
+	return ret
+}
+
+func TestUsagesParser(t *testing.T) {
+	t.Run("go, simple", func(t *testing.T) {
+		assert.Equal(t,
+			[]string{"what.an.example"},
+			HandleGoFileWrapped(t, "<g1>", "package main\nfunc Render(ctx *context.Context) string { return ctx.Tr(\"what.an.example\"); }\n"))
+	})
+
+	t.Run("template, simple", func(t *testing.T) {
+		assert.Equal(t,
+			[]string{"what.an.example"},
+			HandleTemplateFileWrapped(t, "<t1>", "{{ ctx.Locale.Tr \"what.an.example\" }}\n"))
+	})
+}

build/lint-locale/lint-locale.go

@@ -0,0 +1,195 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+//nolint:forbidigo
+package main
+
+import (
+	"fmt"
+	"html"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"regexp"
+	"slices"
+	"strings"
+
+	"forgejo.org/modules/translation/localeiter"
+
+	"github.com/microcosm-cc/bluemonday"
+	"github.com/sergi/go-diff/diffmatchpatch"
+)
+
+var (
+	policy     *bluemonday.Policy
+	tagRemover *strings.Replacer
+	safeURL    = "https://TO-BE-REPLACED.COM"
+
+	// Matches href="", href="#", href="%s", href="#%s", href="%[1]s" and href="#%[1]s".
+	placeHolderRegex = regexp.MustCompile(`href="#?(%s|%\[\d\]s)?"`)
+
+	dmp = diffmatchpatch.New()
+)
+
+func initBlueMondayPolicy() {
+	policy = bluemonday.NewPolicy()
+
+	policy.RequireParseableURLs(true)
+	policy.AllowURLSchemes("https")
+
+	// Only allow safe URL on href.
+	// Only allow target="_blank".
+	// Only allow rel="nopener noreferrer", rel="noopener" and rel="noreferrer".
+	// Only allow placeholder on id and class.
+	policy.AllowAttrs("href").Matching(regexp.MustCompile("^" + regexp.QuoteMeta(safeURL) + "$")).OnElements("a")
+	policy.AllowAttrs("target").Matching(regexp.MustCompile("^_blank$")).OnElements("a")
+	policy.AllowAttrs("rel").Matching(regexp.MustCompile("^(noopener|noreferrer|noopener noreferrer)$")).OnElements("a")
+	policy.AllowAttrs("id", "class").Matching(regexp.MustCompile(`^%s|%\[\d\]s$`)).OnElements("a")
+
+	// Only allow positional placeholder as class.
+	positionalPlaceholderRe := regexp.MustCompile(`^%\[\d\]s$`)
+	policy.AllowAttrs("class").Matching(positionalPlaceholderRe).OnElements("strong")
+	policy.AllowAttrs("id").Matching(positionalPlaceholderRe).OnElements("code")
+
+	// Allowed elements with no attributes. Must be a recognized tagname.
+	policy.AllowElements("strong", "br", "b", "strike", "code", "i")
+
+	// TODO: Remove <c> in `actions.workflow.dispatch.trigger_found`.
+	policy.AllowNoAttrs().OnElements("c")
+}
+
+func initRemoveTags() {
+	oldnew := []string{}
+	for _, el := range []string{
+		"email@example.com", "correu@example.com", "epasts@domens.lv", "email@exemplo.com", "eposta@ornek.com", "email@példa.hu", "email@esempio.it",
+		"user", "utente", "lietotājs", "gebruiker", "usuário", "Benutzer", "Bruker", "bruger", "użytkownik",
+		"server", "servidor", "kiszolgáló", "serveris",
+		"label", "etichetta", "etiķete", "rótulo", "Label", "utilizador", "etiket", "iezīme", "etykieta",
+	} {
+		oldnew = append(oldnew, "<"+el+">", "REPLACED-TAG")
+	}
+
+	tagRemover = strings.NewReplacer(oldnew...)
+}
+
+func preprocessTranslationValue(value string) string {
+	// href should be a parsable URL, replace placeholder strings with a safe url.
+	value = placeHolderRegex.ReplaceAllString(value, `href="`+safeURL+`"`)
+
+	// Remove tags that aren't tags but will be parsed as tags. We already know they are safe and sound.
+	value = tagRemover.Replace(value)
+
+	return value
+}
+
+func checkValue(trKey, value string) []string {
+	keyValue := preprocessTranslationValue(value)
+
+	if html.UnescapeString(policy.Sanitize(keyValue)) == keyValue {
+		return nil
+	}
+
+	// Create a nice diff of the difference.
+	diffs := dmp.DiffMain(keyValue, html.UnescapeString(policy.Sanitize(keyValue)), false)
+	diffs = dmp.DiffCleanupSemantic(diffs)
+	diffs = dmp.DiffCleanupEfficiency(diffs)
+
+	return []string{trKey + ": " + dmp.DiffPrettyText(diffs)}
+}
+
+func checkLocaleContent(localeContent []byte) []string {
+	errors := []string{}
+
+	if err := localeiter.IterateMessagesContent(localeContent, func(trKey, trValue string) error {
+		errors = append(errors, checkValue(trKey, trValue)...)
+		return nil
+	}); err != nil {
+		panic(err)
+	}
+
+	return errors
+}
+
+func checkLocaleNextContent(localeContent []byte) []string {
+	errors := []string{}
+
+	if err := localeiter.IterateMessagesNextContent(localeContent, func(trKey, pluralForm, trValue string) error {
+		fullKey := trKey
+		if pluralForm != "" {
+			fullKey = trKey + "." + pluralForm
+		}
+		errors = append(errors, checkValue(fullKey, trValue)...)
+		return nil
+	}); err != nil {
+		panic(err)
+	}
+
+	return errors
+}
+
+func main() {
+	initBlueMondayPolicy()
+	initRemoveTags()
+
+	localeDir := filepath.Join("options", "locale")
+	localeFiles, err := os.ReadDir(localeDir)
+	if err != nil {
+		panic(err)
+	}
+
+	// Safety check that we are not reading the wrong directory.
+	if !slices.ContainsFunc(localeFiles, func(e fs.DirEntry) bool { return strings.HasSuffix(e.Name(), ".ini") }) {
+		fmt.Println("No locale files found")
+		os.Exit(1)
+	}
+
+	exitCode := 0
+	for _, localeFile := range localeFiles {
+		if !strings.HasSuffix(localeFile.Name(), ".ini") {
+			continue
+		}
+
+		localeContent, err := os.ReadFile(filepath.Join(localeDir, localeFile.Name()))
+		if err != nil {
+			fmt.Println(localeFile.Name())
+			panic(err)
+		}
+
+		if err := checkLocaleContent(localeContent); len(err) > 0 {
+			fmt.Println(localeFile.Name())
+			fmt.Println(strings.Join(err, "\n"))
+			fmt.Println()
+			exitCode = 1
+		}
+	}
+
+	// Check the locale next.
+	localeDir = filepath.Join("options", "locale_next")
+	localeFiles, err = os.ReadDir(localeDir)
+	if err != nil {
+		panic(err)
+	}
+
+	// Safety check that we are not reading the wrong directory.
+	if !slices.ContainsFunc(localeFiles, func(e fs.DirEntry) bool { return strings.HasSuffix(e.Name(), ".json") }) {
+		fmt.Println("No locale_next files found")
+		os.Exit(1)
+	}
+
+	for _, localeFile := range localeFiles {
+		localeContent, err := os.ReadFile(filepath.Join(localeDir, localeFile.Name()))
+		if err != nil {
+			fmt.Println(localeFile.Name())
+			panic(err)
+		}
+
+		if err := checkLocaleNextContent(localeContent); len(err) > 0 {
+			fmt.Println(localeFile.Name())
+			fmt.Println(strings.Join(err, "\n"))
+			fmt.Println()
+			exitCode = 1
+		}
+	}
+
+	os.Exit(exitCode)
+}

build/lint-locale/lint-locale_test.go

@@ -0,0 +1,106 @@
+// Copyright 2024 The Forgejo Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+package main
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLocalizationPolicy(t *testing.T) {
+	initBlueMondayPolicy()
+	initRemoveTags()
+
+	t.Run("Remove tags", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte(`hidden_comment_types_description = Comment types checked here will not be shown inside issue pages. Checking "Label" for example removes all "<user> added/removed <label>" comments.`)))
+
+		assert.Equal(t, []string{"key: \x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<not-an-allowed-key> <label>"`)))
+		assert.Equal(t, []string{"key: \x1b[31m<user@example.com>\x1b[0m REPLACED-TAG"}, checkLocaleContent([]byte(`key = "<user@example.com> <email@example.com>"`)))
+		assert.Equal(t, []string{"key: \x1b[31m<tag>\x1b[0m REPLACED-TAG \x1b[31m</tag>\x1b[0m"}, checkLocaleContent([]byte(`key = "<tag> <email@example.com> </tag>"`)))
+	})
+
+	t.Run("Specific exception", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte(`workflow.dispatch.trigger_found = This workflow has a <c>workflow_dispatch</c> event trigger.`)))
+		assert.Empty(t, checkLocaleContent([]byte(`pulls.title_desc_one = wants to merge %[1]d commit from <code>%[2]s</code> into <code id="%[4]s">%[3]s</code>`)))
+		assert.Empty(t, checkLocaleContent([]byte(`editor.commit_directly_to_this_branch = Commit directly to the <strong class="%[2]s">%[1]s</strong> branch.`)))
+
+		assert.Equal(t, []string{"workflow.dispatch.trigger_found: This workflow has a \x1b[31m<d>\x1b[0mworkflow_dispatch\x1b[31m</d>\x1b[0m event trigger."}, checkLocaleContent([]byte(`workflow.dispatch.trigger_found = This workflow has a <d>workflow_dispatch</d> event trigger.`)))
+		assert.Equal(t, []string{"key: <code\x1b[31m id=\"branch_targe\"\x1b[0m>%[3]s</code>"}, checkLocaleContent([]byte(`key = <code id="branch_targe">%[3]s</code>`)))
+		assert.Equal(t, []string{"key: <a\x1b[31m class=\"ui sh\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="ui sh" href="%[3]s">`)))
+		assert.Equal(t, []string{"key: <a\x1b[31m class=\"js-click-me\"\x1b[0m href=\"https://TO-BE-REPLACED.COM\">"}, checkLocaleContent([]byte(`key = <a class="js-click-me" href="%[3]s">`)))
+		assert.Equal(t, []string{"key: <strong\x1b[31m class=\"branch-target\"\x1b[0m>%[1]s</strong>"}, checkLocaleContent([]byte(`key = <strong class="branch-target">%[1]s</strong>`)))
+	})
+
+	t.Run("General safe tags", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte("error404 = The page you are trying to reach either <strong>does not exist</strong> or <strong>you are not authorized</strong> to view it.")))
+		assert.Empty(t, checkLocaleContent([]byte("teams.specific_repositories_helper = Members will only have access to repositories explicitly added to the team. Selecting this <strong>will not</strong> automatically remove repositories already added with <i>All repositories</i>.")))
+		assert.Empty(t, checkLocaleContent([]byte("sqlite_helper = File path for the SQLite3 database.<br>Enter an absolute path if you run Forgejo as a service.")))
+		assert.Empty(t, checkLocaleContent([]byte("hi_user_x = Hi <b>%s</b>,")))
+
+		assert.Equal(t, []string{"error404: The page you are trying to reach either <strong\x1b[31m title='aaa'\x1b[0m>does not exist</strong> or <strong>you are not authorized</strong> to view it."}, checkLocaleContent([]byte("error404 = The page you are trying to reach either <strong title='aaa'>does not exist</strong> or <strong>you are not authorized</strong> to view it.")))
+	})
+
+	t.Run("<a>", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte(`admin.new_user.text = Please <a href="%s">click here</a> to manage this user from the admin panel.`)))
+		assert.Empty(t, checkLocaleContent([]byte(`access_token_desc = Selected token permissions limit authorization only to the corresponding <a href="%[1]s" target="_blank">API</a> routes. Read the <a href="%[2]s" target="_blank">documentation</a> for more information.`)))
+		assert.Empty(t, checkLocaleContent([]byte(`webauthn_desc = Security keys are hardware devices containing cryptographic keys. They can be used for two-factor authentication. Security keys must support the <a rel="noreferrer" target="_blank" href="%s">WebAuthn Authenticator</a> standard.`)))
+		assert.Empty(t, checkLocaleContent([]byte("issues.closed_at = `closed this issue <a id=\"%[1]s\" href=\"#%[1]s\">%[2]s</a>`")))
+
+		assert.Equal(t, []string{"key: \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com">`)))
+		assert.Equal(t, []string{"key: \x1b[31m<a href=\"javascript:alert('1')\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="javascript:alert('1')">`)))
+		assert.Equal(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m download\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" download>`)))
+		assert.Equal(t, []string{"key: <a href=\"https://TO-BE-REPLACED.COM\"\x1b[31m target=\"_self\"\x1b[0m>"}, checkLocaleContent([]byte(`key = <a href="%s" target="_self">`)))
+		assert.Equal(t, []string{"key: \x1b[31m<a href=\"https://example.com/%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/%s">`)))
+		assert.Equal(t, []string{"key: \x1b[31m<a href=\"https://example.com/?q=%s\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="https://example.com/?q=%s">`)))
+		assert.Equal(t, []string{"key: \x1b[31m<a href=\"%s/open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s/open-redirect">`)))
+		assert.Equal(t, []string{"key: \x1b[31m<a href=\"%s?q=open-redirect\">\x1b[0m"}, checkLocaleContent([]byte(`key = <a href="%s?q=open-redirect">`)))
+	})
+
+	t.Run("Escaped HTML characters", func(t *testing.T) {
+		assert.Empty(t, checkLocaleContent([]byte("activity.git_stats_push_to_branch = `إلى %s و\"`")))
+
+		assert.Equal(t, []string{"key: و\x1b[31m&nbsp;\x1b[0m\x1b[32m\u00a0\x1b[0m"}, checkLocaleContent([]byte(`key = و&nbsp;`)))
+	})
+}
+
+func TestNextLocalizationPolicy(t *testing.T) {
+	initBlueMondayPolicy()
+	initRemoveTags()
+
+	t.Run("Nested locales", func(t *testing.T) {
+		assert.Empty(t, checkLocaleNextContent([]byte(`{
+			"settings": {
+				"hidden_comment_types_description": "Comment types checked here will not be shown inside issue pages. Checking \"Label\" for example removes all \"<user> added/removed <label>\" comments."
+			}
+		}`)))
+
+		assert.Equal(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent([]byte(`{
+			"settings": {
+				"hidden_comment_types_description": "\"<not-an-allowed-key> <label>\""
+			}
+		}`)))
+	})
+
+	t.Run("Flat locales", func(t *testing.T) {
+		assert.Empty(t, checkLocaleNextContent([]byte(`{
+			"settings.hidden_comment_types_description": "Comment types checked here will not be shown inside issue pages. Checking \"Label\" for example removes all \"<user> added/removed <label>\" comments."
+		}`)))
+
+		assert.Equal(t, []string{"settings.hidden_comment_types_description: \"\x1b[31m<not-an-allowed-key>\x1b[0m REPLACED-TAG\""}, checkLocaleNextContent([]byte(`{
+			"settings.hidden_comment_types_description": "\"<not-an-allowed-key> <label>\""
+		}`)))
+	})
+
+	t.Run("Plural form", func(t *testing.T) {
+		assert.Equal(t, []string{"repo.pulls.title_desc: key = \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleNextContent([]byte(`{"repo.pulls.title_desc": {
+                       "few": "key = <a href=\"%s\">",
+                       "other": "key = <a href=\"https://example.com\">"
+    }}`)))
+
+		assert.Equal(t, []string{"repo.pulls.title_desc.few: key = \x1b[31m<a href=\"https://example.com\">\x1b[0m"}, checkLocaleNextContent([]byte(`{"repo.pulls.title_desc": {
+                       "few": "key = <a href=\"https://example.com\">",
+                       "other": "key = <a href=\"%s\">"
+    }}`)))
+	})
+}

build/update-locales.sh

@@ -1,52 +0,0 @@
-#!/bin/sh
-
-# this script runs in alpine image which only has `sh` shell
-
-set +e
-if sed --version 2>/dev/null | grep -q GNU; then
-  SED_INPLACE="sed -i"
-else
-  SED_INPLACE="sed -i ''"
-fi
-set -e
-
-if [ ! -f ./options/locale/locale_en-US.ini ]; then
-  echo "please run this script in the root directory of the project"
-  exit 1
-fi
-
-mv ./options/locale/locale_en-US.ini ./options/
-
-# the "ini" library for locale has many quirks, its behavior is different from Crowdin.
-# see i18n_test.go for more details
-
-# this script helps to unquote the Crowdin outputs for the quirky ini library
-# * find all `key="...\"..."` lines
-# * remove the leading quote
-# * remove the trailing quote
-# * unescape the quotes
-# * eg: key="...\"..." => key=..."...
-$SED_INPLACE -r -e '/^[-.A-Za-z0-9_]+[ ]*=[ ]*".*"$/ {
-	s/^([-.A-Za-z0-9_]+)[ ]*=[ ]*"/\1=/
-	s/"$//
-	s/\\"/"/g
-	}' ./options/locale/*.ini
-
-# * if the escaped line is incomplete like `key="...` or `key=..."`, quote it with backticks
-# * eg: key="... => key=`"...`
-# * eg: key=..." => key=`..."`
-$SED_INPLACE -r -e 's/^([-.A-Za-z0-9_]+)[ ]*=[ ]*(".*[^"])$/\1=`\2`/' ./options/locale/*.ini
-$SED_INPLACE -r -e 's/^([-.A-Za-z0-9_]+)[ ]*=[ ]*([^"].*")$/\1=`\2`/' ./options/locale/*.ini
-
-# Remove translation under 25% of en_us
-baselines=$(wc -l "./options/locale_en-US.ini" | cut -d" " -f1)
-baselines=$((baselines / 4))
-for filename in ./options/locale/*.ini; do
-  lines=$(wc -l "$filename" | cut -d" " -f1)
-  if [ $lines -lt $baselines ]; then
-    echo "Removing $filename: $lines/$baselines"
-    rm "$filename"
-  fi
-done
-
-mv ./options/locale_en-US.ini ./options/locale/

cmd/actions.go

@@ -6,8 +6,8 @@ package cmd
 import (
 	"fmt"
 
-	"code.gitea.io/gitea/modules/private"
-	"code.gitea.io/gitea/modules/setting"
+	"forgejo.org/modules/private"
+	"forgejo.org/modules/setting"
 
 	"github.com/urfave/cli/v2"
 )

cmd/admin.go

@@ -8,12 +8,12 @@ import (
 	"context"
 	"fmt"
 
-	"code.gitea.io/gitea/models/db"
-	repo_model "code.gitea.io/gitea/models/repo"
-	"code.gitea.io/gitea/modules/git"
-	"code.gitea.io/gitea/modules/gitrepo"
-	"code.gitea.io/gitea/modules/log"
-	repo_module "code.gitea.io/gitea/modules/repository"
+	"forgejo.org/models/db"
+	repo_model "forgejo.org/models/repo"
+	"forgejo.org/modules/git"
+	"forgejo.org/modules/gitrepo"
+	"forgejo.org/modules/log"
+	repo_module "forgejo.org/modules/repository"
 
 	"github.com/urfave/cli/v2"
 )

cmd/admin_auth.go

@@ -4,13 +4,14 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"os"
 	"text/tabwriter"
 
-	auth_model "code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/models/db"
-	auth_service "code.gitea.io/gitea/services/auth"
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/db"
+	auth_service "forgejo.org/services/auth"
 
 	"github.com/urfave/cli/v2"
 )
@@ -91,7 +92,7 @@ func runListAuth(c *cli.Context) error {
 
 func runDeleteAuth(c *cli.Context) error {
 	if !c.IsSet("id") {
-		return fmt.Errorf("--id flag is missing")
+		return errors.New("--id flag is missing")
 	}
 
 	ctx, cancel := installSignals()

cmd/admin_auth_ldap.go

@@ -8,8 +8,8 @@ import (
 	"fmt"
 	"strings"
 
-	"code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/services/auth/source/ldap"
+	"forgejo.org/models/auth"
+	"forgejo.org/services/auth/source/ldap"
 
 	"github.com/urfave/cli/v2"
 )
@@ -386,7 +386,7 @@ func (a *authService) addLdapSimpleAuth(c *cli.Context) error {
 	return a.createAuthSource(ctx, authSource)
 }
 
-// updateLdapBindDn updates a new LDAP (simple auth) authentication source.
+// updateLdapSimpleAuth updates a new LDAP (simple auth) authentication source.
 func (a *authService) updateLdapSimpleAuth(c *cli.Context) error {
 	ctx, cancel := installSignals()
 	defer cancel()

cmd/admin_auth_ldap_test.go

@@ -7,10 +7,11 @@ import (
 	"context"
 	"testing"
 
-	"code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/services/auth/source/ldap"
+	"forgejo.org/models/auth"
+	"forgejo.org/services/auth/source/ldap"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/urfave/cli/v2"
 )
 
@@ -215,11 +216,11 @@ func TestAddLdapBindDn(t *testing.T) {
 				return nil
 			},
 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "case %d: should not call updateAuthSource", n)
+				assert.FailNow(t, "should not call updateAuthSource", "case: %d", n)
 				return nil
 			},
 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				assert.FailNow(t, "case %d: should not call getAuthSourceByID", n)
+				assert.FailNow(t, "should not call getAuthSourceByID", "case: %d", n)
 				return nil, nil
 			},
 		}
@@ -234,7 +235,7 @@ func TestAddLdapBindDn(t *testing.T) {
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
-			assert.NoError(t, err, "case %d: should have no errors", n)
+			require.NoError(t, err, "case %d: should have no errors", n)
 			assert.Equal(t, c.source, createdAuthSource, "case %d: wrong authSource", n)
 		}
 	}
@@ -446,11 +447,11 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 				return nil
 			},
 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "case %d: should not call updateAuthSource", n)
+				assert.FailNow(t, "should not call updateAuthSource", "case: %d", n)
 				return nil
 			},
 			getAuthSourceByID: func(ctx context.Context, id int64) (*auth.Source, error) {
-				assert.FailNow(t, "case %d: should not call getAuthSourceByID", n)
+				assert.FailNow(t, "should not call getAuthSourceByID", "case: %d", n)
 				return nil, nil
 			},
 		}
@@ -465,7 +466,7 @@ func TestAddLdapSimpleAuth(t *testing.T) {
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
-			assert.NoError(t, err, "case %d: should have no errors", n)
+			require.NoError(t, err, "case %d: should have no errors", n)
 			assert.Equal(t, c.authSource, createdAuthSource, "case %d: wrong authSource", n)
 		}
 	}
@@ -897,7 +898,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 				return nil
 			},
 			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "case %d: should not call createAuthSource", n)
+				assert.FailNow(t, "should not call createAuthSource", "case: %d", n)
 				return nil
 			},
 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
@@ -928,7 +929,7 @@ func TestUpdateLdapBindDn(t *testing.T) {
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
-			assert.NoError(t, err, "case %d: should have no errors", n)
+			require.NoError(t, err, "case %d: should have no errors", n)
 			assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)
 		}
 	}
@@ -1287,7 +1288,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 				return nil
 			},
 			createAuthSource: func(ctx context.Context, authSource *auth.Source) error {
-				assert.FailNow(t, "case %d: should not call createAuthSource", n)
+				assert.FailNow(t, "should not call createAuthSource", "case: %d", n)
 				return nil
 			},
 			updateAuthSource: func(ctx context.Context, authSource *auth.Source) error {
@@ -1318,7 +1319,7 @@ func TestUpdateLdapSimpleAuth(t *testing.T) {
 		if c.errMsg != "" {
 			assert.EqualError(t, err, c.errMsg, "case %d: error should match", n)
 		} else {
-			assert.NoError(t, err, "case %d: should have no errors", n)
+			require.NoError(t, err, "case %d: should have no errors", n)
 			assert.Equal(t, c.authSource, updatedAuthSource, "case %d: wrong authSource", n)
 		}
 	}

cmd/admin_auth_oauth.go

@@ -4,11 +4,12 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"net/url"
 
-	auth_model "code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/services/auth/source/oauth2"
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/services/auth/source/oauth2"
 
 	"github.com/urfave/cli/v2"
 )
@@ -193,7 +194,7 @@ func runAddOauth(c *cli.Context) error {
 
 func runUpdateOauth(c *cli.Context) error {
 	if !c.IsSet("id") {
-		return fmt.Errorf("--id flag is missing")
+		return errors.New("--id flag is missing")
 	}
 
 	ctx, cancel := installSignals()

cmd/admin_auth_stmp.go

@@ -5,12 +5,11 @@ package cmd
 
 import (
 	"errors"
-	"fmt"
 	"strings"
 
-	auth_model "code.gitea.io/gitea/models/auth"
-	"code.gitea.io/gitea/modules/util"
-	"code.gitea.io/gitea/services/auth/source/smtp"
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/modules/util"
+	"forgejo.org/services/auth/source/smtp"
 
 	"github.com/urfave/cli/v2"
 )
@@ -166,7 +165,7 @@ func runAddSMTP(c *cli.Context) error {
 
 func runUpdateSMTP(c *cli.Context) error {
 	if !c.IsSet("id") {
-		return fmt.Errorf("--id flag is missing")
+		return errors.New("--id flag is missing")
 	}
 
 	ctx, cancel := installSignals()

cmd/admin_regenerate.go

@@ -4,9 +4,9 @@
 package cmd
 
 import (
-	asymkey_model "code.gitea.io/gitea/models/asymkey"
-	"code.gitea.io/gitea/modules/graceful"
-	repo_service "code.gitea.io/gitea/services/repository"
+	asymkey_model "forgejo.org/models/asymkey"
+	"forgejo.org/modules/graceful"
+	repo_service "forgejo.org/services/repository"
 
 	"github.com/urfave/cli/v2"
 )

cmd/admin_user_change_password.go

@@ -7,11 +7,11 @@ import (
 	"errors"
 	"fmt"
 
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/auth/password"
-	"code.gitea.io/gitea/modules/optional"
-	"code.gitea.io/gitea/modules/setting"
-	user_service "code.gitea.io/gitea/services/user"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/auth/password"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/setting"
+	user_service "forgejo.org/services/user"
 
 	"github.com/urfave/cli/v2"
 )
@@ -36,6 +36,7 @@ var microcmdUserChangePassword = &cli.Command{
 		&cli.BoolFlag{
 			Name:  "must-change-password",
 			Usage: "User must change password",
+			Value: true,
 		},
 	},
 }
@@ -57,23 +58,18 @@ func runChangePassword(c *cli.Context) error {
 		return err
 	}
 
-	var mustChangePassword optional.Option[bool]
-	if c.IsSet("must-change-password") {
-		mustChangePassword = optional.Some(c.Bool("must-change-password"))
-	}
-
 	opts := &user_service.UpdateAuthOptions{
 		Password:           optional.Some(c.String("password")),
-		MustChangePassword: mustChangePassword,
+		MustChangePassword: optional.Some(c.Bool("must-change-password")),
 	}
 	if err := user_service.UpdateAuth(ctx, user, opts); err != nil {
 		switch {
 		case errors.Is(err, password.ErrMinLength):
-			return fmt.Errorf("Password is not long enough. Needs to be at least %d", setting.MinPasswordLength)
+			return fmt.Errorf("password is not long enough, needs to be at least %d characters", setting.MinPasswordLength)
 		case errors.Is(err, password.ErrComplexity):
-			return errors.New("Password does not meet complexity requirements")
+			return errors.New("password does not meet complexity requirements")
 		case errors.Is(err, password.ErrIsPwned):
-			return errors.New("The password you chose is on a list of stolen passwords previously exposed in public data breaches. Please try again with a different password.\nFor more details, see https://haveibeenpwned.com/Passwords")
+			return errors.New("the password is in a list of stolen passwords previously exposed in public data breaches, please try again with a different password, to see more details: https://haveibeenpwned.com/Passwords")
 		default:
 			return err
 		}

cmd/admin_user_create.go

@@ -6,12 +6,14 @@ package cmd
 import (
 	"errors"
 	"fmt"
+	"strings"
 
-	auth_model "code.gitea.io/gitea/models/auth"
-	user_model "code.gitea.io/gitea/models/user"
-	pwd "code.gitea.io/gitea/modules/auth/password"
-	"code.gitea.io/gitea/modules/optional"
-	"code.gitea.io/gitea/modules/setting"
+	auth_model "forgejo.org/models/auth"
+	"forgejo.org/models/db"
+	user_model "forgejo.org/models/user"
+	pwd "forgejo.org/modules/auth/password"
+	"forgejo.org/modules/optional"
+	"forgejo.org/modules/setting"
 
 	"github.com/urfave/cli/v2"
 )
@@ -46,9 +48,10 @@ var microcmdUserCreate = &cli.Command{
 			Usage: "Generate a random password for the user",
 		},
 		&cli.BoolFlag{
-			Name:  "must-change-password",
-			Usage: "Set this option to false to prevent forcing the user to change their password after initial login",
-			Value: true,
+			Name:               "must-change-password",
+			Usage:              "Set this option to false to prevent forcing the user to change their password after initial login",
+			Value:              true,
+			DisableDefaultText: true,
 		},
 		&cli.IntFlag{
 			Name:  "random-password-length",
@@ -59,23 +62,41 @@ var microcmdUserCreate = &cli.Command{
 			Name:  "access-token",
 			Usage: "Generate access token for the user",
 		},
+		&cli.StringFlag{
+			Name:  "access-token-name",
+			Usage: `Name of the generated access token`,
+			Value: "gitea-admin",
+		},
+		&cli.StringFlag{
+			Name:  "access-token-scopes",
+			Usage: `Scopes of the generated access token, comma separated. Examples: "all", "public-only,read:issue", "write:repository,write:user"`,
+			Value: "all",
+		},
 		&cli.BoolFlag{
 			Name:  "restricted",
 			Usage: "Make a restricted user account",
 		},
+		&cli.StringFlag{
+			Name:  "fullname",
+			Usage: `The full, human-readable name of the user`,
+		},
 	},
 }
 
 func runCreateUser(c *cli.Context) error {
+	// this command highly depends on the many setting options (create org, visibility, etc.), so it must have a full setting load first
+	// duplicate setting loading should be safe at the moment, but it should be refactored & improved in the future.
+	setting.LoadSettings()
+
 	if err := argsSet(c, "email"); err != nil {
 		return err
 	}
 
 	if c.IsSet("name") && c.IsSet("username") {
-		return errors.New("Cannot set both --name and --username flags")
+		return errors.New("cannot set both --name and --username flags")
 	}
 	if !c.IsSet("name") && !c.IsSet("username") {
-		return errors.New("One of --name or --username flags must be set")
+		return errors.New("one of --name or --username flags must be set")
 	}
 
 	if c.IsSet("password") && c.IsSet("random-password") {
@@ -111,12 +132,21 @@ func runCreateUser(c *cli.Context) error {
 		return errors.New("must set either password or random-password flag")
 	}
 
-	changePassword := c.Bool("must-change-password")
-
-	// If this is the first user being created.
-	// Take it as the admin and don't force a password update.
-	if n := user_model.CountUsers(ctx, nil); n == 0 {
-		changePassword = false
+	isAdmin := c.Bool("admin")
+	mustChangePassword := true // always default to true
+	if c.IsSet("must-change-password") {
+		// if the flag is set, use the value provided by the user
+		mustChangePassword = c.Bool("must-change-password")
+	} else {
+		// check whether there are users in the database
+		hasUserRecord, err := db.IsTableNotEmpty(&user_model.User{})
+		if err != nil {
+			return fmt.Errorf("IsTableNotEmpty: %w", err)
+		}
+		if !hasUserRecord {
+			// if this is the first admin being created, don't force to change password (keep the old behavior)
+			mustChangePassword = false
+		}
 	}
 
 	restricted := optional.None[bool]()
@@ -132,9 +162,10 @@ func runCreateUser(c *cli.Context) error {
 		Name:               username,
 		Email:              c.String("email"),
 		Passwd:             password,
-		IsAdmin:            c.Bool("admin"),
-		MustChangePassword: changePassword,
+		IsAdmin:            isAdmin,
+		MustChangePassword: mustChangePassword,
 		Visibility:         visibility,
+		FullName:           c.String("fullname"),
 	}
 
 	overwriteDefault := &user_model.CreateUserOverwriteOptions{
@@ -142,23 +173,40 @@ func runCreateUser(c *cli.Context) error {
 		IsRestricted: restricted,
 	}
 
+	var accessTokenName string
+	var accessTokenScope auth_model.AccessTokenScope
+	if c.IsSet("access-token") {
+		accessTokenName = strings.TrimSpace(c.String("access-token-name"))
+		if accessTokenName == "" {
+			return errors.New("access-token-name cannot be empty")
+		}
+		var err error
+		accessTokenScope, err = auth_model.AccessTokenScope(c.String("access-token-scopes")).Normalize()
+		if err != nil {
+			return fmt.Errorf("invalid access token scope provided: %w", err)
+		}
+		if !accessTokenScope.HasPermissionScope() {
+			return errors.New("access token does not have any permission")
+		}
+	} else if c.IsSet("access-token-name") || c.IsSet("access-token-scopes") {
+		return errors.New("access-token-name and access-token-scopes flags are only valid when access-token flag is set")
+	}
+
+	// arguments should be prepared before creating the user & access token, in case there is anything wrong
+
+	// create the user
 	if err := user_model.CreateUser(ctx, u, overwriteDefault); err != nil {
 		return fmt.Errorf("CreateUser: %w", err)
 	}
+	fmt.Printf("New user '%s' has been successfully created!\n", username)
 
-	if c.Bool("access-token") {
-		t := &auth_model.AccessToken{
-			Name: "gitea-admin",
-			UID:  u.ID,
-		}
-
+	// create the access token
+	if accessTokenScope != "" {
+		t := &auth_model.AccessToken{Name: accessTokenName, UID: u.ID, Scope: accessTokenScope}
 		if err := auth_model.NewAccessToken(ctx, t); err != nil {
 			return err
 		}
-
 		fmt.Printf("Access token was successfully created... %s\n", t.Token)
 	}
-
-	fmt.Printf("New user '%s' has been successfully created!\n", username)
 	return nil
 }

cmd/admin_user_delete.go

@@ -4,12 +4,13 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 
-	user_model "code.gitea.io/gitea/models/user"
-	"code.gitea.io/gitea/modules/storage"
-	user_service "code.gitea.io/gitea/services/user"
+	user_model "forgejo.org/models/user"
+	"forgejo.org/modules/storage"
+	user_service "forgejo.org/services/user"
 
 	"github.com/urfave/cli/v2"
 )
@@ -42,7 +43,7 @@ var microcmdUserDelete = &cli.Command{
 
 func runDeleteUser(c *cli.Context) error {
 	if !c.IsSet("id") && !c.IsSet("username") && !c.IsSet("email") {
-		return fmt.Errorf("You must provide the id, username or email of a user to delete")
+		return errors.New("You must provide the id, username or email of a user to delete")
 	}
 
 	ctx, cancel := installSignals()

cmd/admin_user_generate_access_token.go

@@ -4,10 +4,11 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 
-	auth_model "code.gitea.io/gitea/models/auth"
-	user_model "code.gitea.io/gitea/models/user"
+	auth_model "forgejo.org/models/auth"
+	user_model "forgejo.org/models/user"
 
 	"github.com/urfave/cli/v2"
 )
@@ -33,8 +34,8 @@ var microcmdUserGenerateAccessToken = &cli.Command{
 		},
 		&cli.StringFlag{
 			Name:  "scopes",
-			Value: "",
-			Usage: "Comma separated list of scopes to apply to access token",
+			Value: "all",
+			Usage: `Comma separated list of scopes to apply to access token, examples: "all", "public-only,read:issue", "write:repository,write:user"`,
 		},
 	},
 	Action: runGenerateAccessToken,
@@ -42,7 +43,7 @@ var microcmdUserGenerateAccessToken = &cli.Command{
 
 func runGenerateAccessToken(c *cli.Context) error {
 	if !c.IsSet("username") {
-		return fmt.Errorf("You must provide a username to generate a token for")
+		return errors.New("you must provide a username to generate a token for")
 	}
 
 	ctx, cancel := installSignals()
@@ -68,7 +69,7 @@ func runGenerateAccessToken(c *cli.Context) error {
 		return err
 	}
 	if exist {
-		return fmt.Errorf("access token name has been used already")
+		return errors.New("access token name has been used already")
 	}
 
 	// make sure the scopes are valid
@@ -76,6 +77,9 @@ func runGenerateAccessToken(c *cli.Context) error {
 	if err != nil {
 		return fmt.Errorf("invalid access token scope provided: %w", err)
 	}
+	if !accessTokenScope.HasPermissionScope() {
+		return errors.New("access token does not have any permission")
+	}
 	t.Scope = accessTokenScope
 
 	// create the token

cmd/admin_user_list.go

@@ -8,7 +8,7 @@ import (
 	"os"
 	"text/tabwriter"
 
-	user_model "code.gitea.io/gitea/models/user"
+	user_model "forgejo.org/models/user"
 
 	"github.com/urfave/cli/v2"
 )

cmd/admin_user_must_change_password.go

@@ -7,7 +7,7 @@ import (
 	"errors"
 	"fmt"
 
-	user_model "code.gitea.io/gitea/models/user"
+	user_model "forgejo.org/models/user"
 
 	"github.com/urfave/cli/v2"
 )

cmd/cmd.go

@@ -15,10 +15,10 @@ import (
 	"strings"
 	"syscall"
 
-	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/util"
+	"forgejo.org/models/db"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/util"
 
 	"github.com/urfave/cli/v2"
 )

cmd/doctor.go

@@ -11,16 +11,15 @@ import (
 	"strings"
 	"text/tabwriter"
 
-	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/models/migrations"
-	migrate_base "code.gitea.io/gitea/models/migrations/base"
-	"code.gitea.io/gitea/modules/container"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/services/doctor"
+	"forgejo.org/models/db"
+	"forgejo.org/models/migrations"
+	migrate_base "forgejo.org/models/migrations/base"
+	"forgejo.org/modules/container"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/setting"
+	"forgejo.org/services/doctor"
 
 	"github.com/urfave/cli/v2"
-	"xorm.io/xorm"
 )
 
 // CmdDoctor represents the available doctor sub-command.
@@ -120,7 +119,7 @@ func runRecreateTable(ctx *cli.Context) error {
 
 	args := ctx.Args()
 	names := make([]string, 0, ctx.NArg())
-	for i := 0; i < ctx.NArg(); i++ {
+	for i := range ctx.NArg() {
 		names = append(names, args.Get(i))
 	}
 
@@ -130,11 +129,17 @@ func runRecreateTable(ctx *cli.Context) error {
 	}
 	recreateTables := migrate_base.RecreateTables(beans...)
 
-	return db.InitEngineWithMigration(stdCtx, func(x *xorm.Engine) error {
-		if err := migrations.EnsureUpToDate(x); err != nil {
+	return db.InitEngineWithMigration(stdCtx, func(x db.Engine) error {
+		engine, err := db.GetMasterEngine(x)
+		if err != nil {
 			return err
 		}
-		return recreateTables(x)
+
+		if err := migrations.EnsureUpToDate(engine); err != nil {
+			return err
+		}
+
+		return recreateTables(engine)
 	})
 }
 
@@ -143,11 +148,12 @@ func setupDoctorDefaultLogger(ctx *cli.Context, colorize bool) {
 	setupConsoleLogger(log.FATAL, log.CanColorStderr, os.Stderr)
 
 	logFile := ctx.String("log-file")
-	if logFile == "" {
+	switch logFile {
+	case "":
 		return // if no doctor log-file is set, do not show any log from default logger
-	} else if logFile == "-" {
+	case "-":
 		setupConsoleLogger(log.TRACE, colorize, os.Stdout)
-	} else {
+	default:
 		logFile, _ = filepath.Abs(logFile)
 		writeMode := log.WriterMode{Level: log.TRACE, WriterOption: log.WriterFileOption{FileName: logFile}}
 		writer, err := log.NewEventWriter("console-to-file", "file", writeMode)

cmd/doctor_convert.go

@@ -6,9 +6,9 @@ package cmd
 import (
 	"fmt"
 
-	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
+	"forgejo.org/models/db"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/setting"
 
 	"github.com/urfave/cli/v2"
 )
@@ -17,7 +17,7 @@ import (
 var cmdDoctorConvert = &cli.Command{
 	Name:        "convert",
 	Usage:       "Convert the database",
-	Description: "A command to convert an existing MySQL database from utf8 to utf8mb4 or MSSQL database from varchar to nvarchar",
+	Description: "A command to convert an existing MySQL database from utf8 to utf8mb4",
 	Action:      runDoctorConvert,
 }
 
@@ -35,21 +35,14 @@ func runDoctorConvert(ctx *cli.Context) error {
 	log.Info("Log path: %s", setting.Log.RootPath)
 	log.Info("Configuration file: %s", setting.CustomConf)
 
-	switch {
-	case setting.Database.Type.IsMySQL():
+	if setting.Database.Type.IsMySQL() {
 		if err := db.ConvertDatabaseTable(); err != nil {
 			log.Fatal("Failed to convert database & table: %v", err)
 			return err
 		}
 		fmt.Println("Converted successfully, please confirm your database's character set is now utf8mb4")
-	case setting.Database.Type.IsMSSQL():
-		if err := db.ConvertVarcharToNVarchar(); err != nil {
-			log.Fatal("Failed to convert database from varchar to nvarchar: %v", err)
-			return err
-		}
-		fmt.Println("Converted successfully, please confirm your database's all columns character is NVARCHAR now")
-	default:
-		fmt.Println("This command can only be used with a MySQL or MSSQL database")
+	} else {
+		fmt.Println("This command can only be used with a MySQL database")
 	}
 
 	return nil

cmd/doctor_test.go

@@ -7,10 +7,10 @@ import (
 	"context"
 	"testing"
 
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/services/doctor"
+	"forgejo.org/modules/log"
+	"forgejo.org/services/doctor"
 
-	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"github.com/urfave/cli/v2"
 )
 
@@ -25,9 +25,9 @@ func TestDoctorRun(t *testing.T) {
 	app := cli.NewApp()
 	app.Commands = []*cli.Command{cmdDoctorCheck}
 	err := app.Run([]string{"./gitea", "check", "--run", "test-check"})
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	err = app.Run([]string{"./gitea", "check", "--run", "no-such"})
-	assert.ErrorContains(t, err, `unknown checks: "no-such"`)
+	require.ErrorContains(t, err, `unknown checks: "no-such"`)
 	err = app.Run([]string{"./gitea", "check", "--run", "test-check,no-such"})
-	assert.ErrorContains(t, err, `unknown checks: "no-such"`)
+	require.ErrorContains(t, err, `unknown checks: "no-such"`)
 }

cmd/dump.go

@@ -13,14 +13,14 @@ import (
 	"strings"
 	"time"
 
-	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/json"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/storage"
-	"code.gitea.io/gitea/modules/util"
+	"forgejo.org/models/db"
+	"forgejo.org/modules/json"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/storage"
+	"forgejo.org/modules/util"
 
-	"gitea.com/go-chi/session"
+	"code.forgejo.org/go-chi/session"
 	"github.com/mholt/archiver/v3"
 	"github.com/urfave/cli/v2"
 )
@@ -122,23 +122,22 @@ It can be used for backup and capture Forgejo server image to send to maintainer
 		&cli.StringFlag{
 			Name:    "tempdir",
 			Aliases: []string{"t"},
-			Value:   os.TempDir(),
 			Usage:   "Temporary dir path",
 		},
 		&cli.StringFlag{
 			Name:    "database",
 			Aliases: []string{"d"},
-			Usage:   "Specify the database SQL syntax: sqlite3, mysql, mssql, postgres",
+			Usage:   "Specify the database SQL syntax: sqlite3, mysql, postgres",
 		},
 		&cli.BoolFlag{
 			Name:    "skip-repository",
 			Aliases: []string{"R"},
-			Usage:   "Skip the repository dumping",
+			Usage:   "Skip repositories",
 		},
 		&cli.BoolFlag{
 			Name:    "skip-log",
 			Aliases: []string{"L"},
-			Usage:   "Skip the log dumping",
+			Usage:   "Skip logs",
 		},
 		&cli.BoolFlag{
 			Name:  "skip-custom-dir",
@@ -160,6 +159,10 @@ It can be used for backup and capture Forgejo server image to send to maintainer
 			Name:  "skip-index",
 			Usage: "Skip bleve index data",
 		},
+		&cli.BoolFlag{
+			Name:  "skip-repo-archives",
+			Usage: "Skip repository archives",
+		},
 		&cli.GenericFlag{
 			Name:  "type",
 			Value: outputTypeEnum,
@@ -233,7 +236,7 @@ func runDump(ctx *cli.Context) error {
 	if file == nil {
 		file, err = os.Create(fileName)
 		if err != nil {
-			fatal("Unable to open %s: %v", fileName, err)
+			fatal("Failed to open %s: %v", fileName, err)
 		}
 	}
 	defer file.Close()
@@ -250,7 +253,7 @@ func runDump(ctx *cli.Context) error {
 		iface, err = archiver.ByExtension(fileName)
 	}
 	if err != nil {
-		fatal("Unable to get archiver for extension: %v", err)
+		fatal("Failed to get archiver for extension: %v", err)
 	}
 
 	w, _ := iface.(archiver.Writer)
@@ -260,7 +263,7 @@ func runDump(ctx *cli.Context) error {
 	defer w.Close()
 
 	if ctx.IsSet("skip-repository") && ctx.Bool("skip-repository") {
-		log.Info("Skip dumping local repositories")
+		log.Info("Skipping local repositories")
 	} else {
 		log.Info("Dumping local repositories... %s", setting.RepoRootPath)
 		if err := addRecursiveExclude(w, "repos", setting.RepoRootPath, []string{absFileName}, verbose); err != nil {
@@ -268,9 +271,9 @@ func runDump(ctx *cli.Context) error {
 		}
 
 		if ctx.IsSet("skip-lfs-data") && ctx.Bool("skip-lfs-data") {
-			log.Info("Skip dumping LFS data")
+			log.Info("Skipping LFS data")
 		} else if !setting.LFS.StartServer {
-			log.Info("LFS isn't enabled. Skip dumping LFS data")
+			log.Info("LFS not enabled - skipping")
 		} else if err := storage.LFS.IterateObjects("", func(objPath string, object storage.Object) error {
 			info, err := object.Stat()
 			if err != nil {
@@ -284,18 +287,31 @@ func runDump(ctx *cli.Context) error {
 	}
 
 	tmpDir := ctx.String("tempdir")
+	if tmpDir == "" {
+		tmpDir, err = os.MkdirTemp("", "forgejo-dump-*")
+		if err != nil {
+			fatal("Failed to create temporary directory: %v", err)
+		}
+
+		defer func() {
+			if err := util.Remove(tmpDir); err != nil {
+				log.Warn("Failed to remove temporary directory: %s: Error: %v", tmpDir, err)
+			}
+		}()
+	}
+
 	if _, err := os.Stat(tmpDir); os.IsNotExist(err) {
 		fatal("Path does not exist: %s", tmpDir)
 	}
 
 	dbDump, err := os.CreateTemp(tmpDir, "forgejo-db.sql")
 	if err != nil {
-		fatal("Failed to create tmp file: %v", err)
+		fatal("Failed to create temporary file: %v", err)
 	}
 	defer func() {
 		_ = dbDump.Close()
 		if err := util.Remove(dbDump.Name()); err != nil {
-			log.Warn("Unable to remove temporary file: %s: Error: %v", dbDump.Name(), err)
+			log.Warn("Failed to remove temporary database file: %s: Error: %v", dbDump.Name(), err)
 		}
 	}()
 
@@ -331,16 +347,16 @@ func runDump(ctx *cli.Context) error {
 					fatal("Failed to include custom: %v", err)
 				}
 			} else {
-				log.Info("Custom dir %s is inside data dir %s, skipped", setting.CustomPath, setting.AppDataPath)
+				log.Info("Custom dir %s is inside data dir %s, skipping", setting.CustomPath, setting.AppDataPath)
 			}
 		} else {
-			log.Info("Custom dir %s doesn't exist, skipped", setting.CustomPath)
+			log.Info("Custom dir %s does not exist, skipping", setting.CustomPath)
 		}
 	}
 
 	isExist, err := util.IsExist(setting.AppDataPath)
 	if err != nil {
-		log.Error("Unable to check if %s exists. Error: %v", setting.AppDataPath, err)
+		log.Error("Failed to check if %s exists: %v", setting.AppDataPath, err)
 	}
 	if isExist {
 		log.Info("Packing data directory...%s", setting.AppDataPath)
@@ -355,10 +371,16 @@ func runDump(ctx *cli.Context) error {
 		}
 
 		if ctx.IsSet("skip-index") && ctx.Bool("skip-index") {
+			log.Info("Skipping bleve index data")
 			excludes = append(excludes, setting.Indexer.RepoPath)
 			excludes = append(excludes, setting.Indexer.IssuePath)
 		}
 
+		if ctx.IsSet("skip-repo-archives") && ctx.Bool("skip-repo-archives") {
+			log.Info("Skipping repository archives data")
+			excludes = append(excludes, setting.RepoArchive.Storage.Path)
+		}
+
 		excludes = append(excludes, setting.RepoRootPath)
 		excludes = append(excludes, setting.LFS.Storage.Path)
 		excludes = append(excludes, setting.Attachment.Storage.Path)
@@ -371,7 +393,7 @@ func runDump(ctx *cli.Context) error {
 	}
 
 	if ctx.IsSet("skip-attachment-data") && ctx.Bool("skip-attachment-data") {
-		log.Info("Skip dumping attachment data")
+		log.Info("Skipping attachment data")
 	} else if err := storage.Attachments.IterateObjects("", func(objPath string, object storage.Object) error {
 		info, err := object.Stat()
 		if err != nil {
@@ -384,9 +406,9 @@ func runDump(ctx *cli.Context) error {
 	}
 
 	if ctx.IsSet("skip-package-data") && ctx.Bool("skip-package-data") {
-		log.Info("Skip dumping package data")
+		log.Info("Skipping package data")
 	} else if !setting.Packages.Enabled {
-		log.Info("Packages isn't enabled. Skip dumping package data")
+		log.Info("Package registry not enabled - skipping")
 	} else if err := storage.Packages.IterateObjects("", func(objPath string, object storage.Object) error {
 		info, err := object.Stat()
 		if err != nil {
@@ -402,11 +424,11 @@ func runDump(ctx *cli.Context) error {
 	// ensuring that it's clear the dump is skipped whether the directory's initialized
 	// yet or not.
 	if ctx.IsSet("skip-log") && ctx.Bool("skip-log") {
-		log.Info("Skip dumping log files")
+		log.Info("Skipping log files")
 	} else {
 		isExist, err := util.IsExist(setting.Log.RootPath)
 		if err != nil {
-			log.Error("Unable to check if %s exists. Error: %v", setting.Log.RootPath, err)
+			log.Error("Failed to check if %s exists: %v", setting.Log.RootPath, err)
 		}
 		if isExist {
 			if err := addRecursiveExclude(w, "log", setting.Log.RootPath, []string{absFileName}, verbose); err != nil {
@@ -456,7 +478,7 @@ func addRecursiveExclude(w archiver.Writer, insidePath, absPath string, excludeA
 		currentInsidePath := path.Join(insidePath, file.Name())
 
 		if util.SliceContainsString(excludeAbsPath, currentAbsPath) {
-			log.Debug("Skipping %q because matched an excluded path.", currentAbsPath)
+			log.Debug("Skipping %q (matched an excluded path)", currentAbsPath)
 			continue
 		}
 

cmd/dump_repo.go

@@ -10,14 +10,14 @@ import (
 	"os"
 	"strings"
 
-	"code.gitea.io/gitea/modules/git"
-	"code.gitea.io/gitea/modules/log"
-	base "code.gitea.io/gitea/modules/migration"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/structs"
-	"code.gitea.io/gitea/modules/util"
-	"code.gitea.io/gitea/services/convert"
-	"code.gitea.io/gitea/services/migrations"
+	"forgejo.org/modules/git"
+	"forgejo.org/modules/log"
+	base "forgejo.org/modules/migration"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/structs"
+	"forgejo.org/modules/util"
+	"forgejo.org/services/convert"
+	"forgejo.org/services/migrations"
 
 	"github.com/urfave/cli/v2"
 )

cmd/dump_test.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/mholt/archiver/v3"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 type mockArchiver struct {
@@ -35,29 +36,29 @@ func TestAddRecursiveExclude(t *testing.T) {
 		archiver := &mockArchiver{}
 
 		err := addRecursiveExclude(archiver, "", dir, []string{}, false)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 		assert.Empty(t, archiver.addedFiles)
 	})
 
 	t.Run("Single file", func(t *testing.T) {
 		dir := t.TempDir()
 		err := os.WriteFile(dir+"/example", nil, 0o666)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 
 		t.Run("No exclude", func(t *testing.T) {
 			archiver := &mockArchiver{}
 
 			err = addRecursiveExclude(archiver, "", dir, nil, false)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.Len(t, archiver.addedFiles, 1)
-			assert.EqualValues(t, "example", archiver.addedFiles[0])
+			assert.Contains(t, archiver.addedFiles, "example")
 		})
 
 		t.Run("With exclude", func(t *testing.T) {
 			archiver := &mockArchiver{}
 
 			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/example"}, false)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.Empty(t, archiver.addedFiles)
 		})
 	})
@@ -65,30 +66,30 @@ func TestAddRecursiveExclude(t *testing.T) {
 	t.Run("File inside directory", func(t *testing.T) {
 		dir := t.TempDir()
 		err := os.MkdirAll(dir+"/deep/nested/folder", 0o750)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 		err = os.WriteFile(dir+"/deep/nested/folder/example", nil, 0o666)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 		err = os.WriteFile(dir+"/deep/nested/folder/another-file", nil, 0o666)
-		assert.NoError(t, err)
+		require.NoError(t, err)
 
 		t.Run("No exclude", func(t *testing.T) {
 			archiver := &mockArchiver{}
 
 			err = addRecursiveExclude(archiver, "", dir, nil, false)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.Len(t, archiver.addedFiles, 5)
-			assert.EqualValues(t, "deep", archiver.addedFiles[0])
-			assert.EqualValues(t, "deep/nested", archiver.addedFiles[1])
-			assert.EqualValues(t, "deep/nested/folder", archiver.addedFiles[2])
-			assert.EqualValues(t, "deep/nested/folder/example", archiver.addedFiles[3])
-			assert.EqualValues(t, "deep/nested/folder/another-file", archiver.addedFiles[4])
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/example")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/another-file")
 		})
 
 		t.Run("Exclude first directory", func(t *testing.T) {
 			archiver := &mockArchiver{}
 
 			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep"}, false)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.Empty(t, archiver.addedFiles)
 		})
 
@@ -96,22 +97,22 @@ func TestAddRecursiveExclude(t *testing.T) {
 			archiver := &mockArchiver{}
 
 			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep/nested/folder"}, false)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.Len(t, archiver.addedFiles, 2)
-			assert.EqualValues(t, "deep", archiver.addedFiles[0])
-			assert.EqualValues(t, "deep/nested", archiver.addedFiles[1])
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
 		})
 
 		t.Run("Exclude file", func(t *testing.T) {
 			archiver := &mockArchiver{}
 
 			err = addRecursiveExclude(archiver, "", dir, []string{dir + "/deep/nested/folder/example"}, false)
-			assert.NoError(t, err)
+			require.NoError(t, err)
 			assert.Len(t, archiver.addedFiles, 4)
-			assert.EqualValues(t, "deep", archiver.addedFiles[0])
-			assert.EqualValues(t, "deep/nested", archiver.addedFiles[1])
-			assert.EqualValues(t, "deep/nested/folder", archiver.addedFiles[2])
-			assert.EqualValues(t, "deep/nested/folder/another-file", archiver.addedFiles[3])
+			assert.Contains(t, archiver.addedFiles, "deep")
+			assert.Contains(t, archiver.addedFiles, "deep/nested")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder")
+			assert.Contains(t, archiver.addedFiles, "deep/nested/folder/another-file")
 		})
 	})
 }

cmd/embedded.go

@@ -10,13 +10,13 @@ import (
 	"path/filepath"
 	"strings"
 
-	"code.gitea.io/gitea/modules/assetfs"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/options"
-	"code.gitea.io/gitea/modules/public"
-	"code.gitea.io/gitea/modules/setting"
-	"code.gitea.io/gitea/modules/templates"
-	"code.gitea.io/gitea/modules/util"
+	"forgejo.org/modules/assetfs"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/options"
+	"forgejo.org/modules/public"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/templates"
+	"forgejo.org/modules/util"
 
 	"github.com/gobwas/glob"
 	"github.com/urfave/cli/v2"
@@ -157,9 +157,9 @@ func runViewDo(c *cli.Context) error {
 	}
 
 	if len(matchedAssetFiles) == 0 {
-		return fmt.Errorf("no files matched the given pattern")
+		return errors.New("no files matched the given pattern")
 	} else if len(matchedAssetFiles) > 1 {
-		return fmt.Errorf("too many files matched the given pattern, try to be more specific")
+		return errors.New("too many files matched the given pattern, try to be more specific")
 	}
 
 	data, err := matchedAssetFiles[0].fs.ReadFile(matchedAssetFiles[0].name)
@@ -180,7 +180,7 @@ func runExtractDo(c *cli.Context) error {
 	}
 
 	if c.NArg() == 0 {
-		return fmt.Errorf("a list of pattern of files to extract is mandatory (e.g. '**' for all)")
+		return errors.New("a list of pattern of files to extract is mandatory (e.g. '**' for all)")
 	}
 
 	destdir := "."

cmd/forgejo/actions.go

@@ -11,10 +11,10 @@ import (
 	"os"
 	"strings"
 
-	actions_model "code.gitea.io/gitea/models/actions"
-	"code.gitea.io/gitea/modules/private"
-	"code.gitea.io/gitea/modules/setting"
-	private_routers "code.gitea.io/gitea/routers/private"
+	actions_model "forgejo.org/models/actions"
+	"forgejo.org/modules/private"
+	"forgejo.org/modules/setting"
+	private_routers "forgejo.org/routers/private"
 
 	"github.com/urfave/cli/v2"
 )
@@ -86,6 +86,11 @@ func SubcmdActionsRegister(ctx context.Context) *cli.Command {
 				Value: "",
 				Usage: "comma separated list of labels supported by the runner (e.g. docker,ubuntu-latest,self-hosted)  (not required since v1.21)",
 			},
+			&cli.BoolFlag{
+				Name:  "keep-labels",
+				Value: false,
+				Usage: "do not affect the labels when updating an existing runner",
+			},
 			&cli.StringFlag{
 				Name:  "name",
 				Value: "runner",
@@ -133,9 +138,20 @@ func validateSecret(secret string) error {
 	return nil
 }
 
+func getLabels(cliCtx *cli.Context) (*[]string, error) {
+	if !cliCtx.Bool("keep-labels") {
+		lblValue := strings.Split(cliCtx.String("labels"), ",")
+		return &lblValue, nil
+	}
+	if cliCtx.String("labels") != "" {
+		return nil, fmt.Errorf("--labels and --keep-labels should not be used together")
+	}
+	return nil, nil
+}
+
 func RunRegister(ctx context.Context, cliCtx *cli.Context) error {
+	var cancel context.CancelFunc
 	if !ContextGetNoInit(ctx) {
-		var cancel context.CancelFunc
 		ctx, cancel = installSignals(ctx)
 		defer cancel()
 
@@ -153,9 +169,12 @@ func RunRegister(ctx context.Context, cliCtx *cli.Context) error {
 		return err
 	}
 	scope := cliCtx.String("scope")
-	labels := cliCtx.String("labels")
 	name := cliCtx.String("name")
 	version := cliCtx.String("version")
+	labels, err := getLabels(cliCtx)
+	if err != nil {
+		return err
+	}
 
 	//
 	// There are two kinds of tokens
@@ -179,7 +198,7 @@ func RunRegister(ctx context.Context, cliCtx *cli.Context) error {
 		return err
 	}
 
-	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, strings.Split(labels, ","), name, version)
+	runner, err := actions_model.RegisterRunner(ctx, owner, repo, secret, labels, name, version)
 	if err != nil {
 		return fmt.Errorf("error while registering runner: %v", err)
 	}

cmd/forgejo/actions_test.go

@@ -0,0 +1,88 @@
+// Copyright The Forgejo Authors.
+// SPDX-License-Identifier: MIT
+
+package forgejo
+
+import (
+	"fmt"
+	"testing"
+
+	"forgejo.org/services/context"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/urfave/cli/v2"
+)
+
+func TestActions_getLabels(t *testing.T) {
+	type testCase struct {
+		args      []string
+		hasLabels bool
+		hasError  bool
+		labels    []string
+	}
+	type resultType struct {
+		labels *[]string
+		err    error
+	}
+
+	cases := []testCase{
+		{
+			args:      []string{"x"},
+			hasLabels: true,
+			hasError:  false,
+			labels:    []string{""},
+		}, {
+			args:      []string{"x", "--labels", "a,b"},
+			hasLabels: true,
+			hasError:  false,
+			labels:    []string{"a", "b"},
+		}, {
+			args:      []string{"x", "--keep-labels"},
+			hasLabels: false,
+			hasError:  false,
+		}, {
+			args:      []string{"x", "--keep-labels", "--labels", "a,b"},
+			hasLabels: false,
+			hasError:  true,
+		}, {
+			// this edge-case exists because that's what actually happens
+			// when no '--labels ...' options are present
+			args:      []string{"x", "--keep-labels", "--labels", ""},
+			hasLabels: false,
+			hasError:  false,
+		},
+	}
+
+	flags := SubcmdActionsRegister(context.Context{}).Flags
+	for _, c := range cases {
+		t.Run(fmt.Sprintf("args: %v", c.args), func(t *testing.T) {
+			// Create a copy of command to test
+			var result *resultType
+			app := cli.NewApp()
+			app.Flags = flags
+			app.Action = func(ctx *cli.Context) error {
+				labels, err := getLabels(ctx)
+				result = &resultType{labels, err}
+				return nil
+			}
+
+			// Run it
+			_ = app.Run(c.args)
+
+			// Test the results
+			require.NotNil(t, result)
+			if c.hasLabels {
+				assert.NotNil(t, result.labels)
+				assert.Equal(t, c.labels, *result.labels)
+			} else {
+				assert.Nil(t, result.labels)
+			}
+			if c.hasError {
+				require.Error(t, result.err)
+			} else {
+				assert.NoError(t, result.err)
+			}
+		})
+	}
+}

cmd/forgejo/f3.go

@@ -0,0 +1,77 @@
+// Copyright Earl Warren <contact@earl-warren.org>
+// Copyright Loïc Dachary <loic@dachary.org>
+// SPDX-License-Identifier: MIT
+
+package forgejo
+
+import (
+	"context"
+	"errors"
+
+	"forgejo.org/models"
+	"forgejo.org/modules/git"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/setting"
+	"forgejo.org/modules/storage"
+	"forgejo.org/services/f3/util"
+
+	_ "forgejo.org/services/f3/driver" // register the driver
+
+	f3_cmd "code.forgejo.org/f3/gof3/v3/cmd"
+	f3_logger "code.forgejo.org/f3/gof3/v3/logger"
+	f3_util "code.forgejo.org/f3/gof3/v3/util"
+	"github.com/urfave/cli/v2"
+)
+
+func CmdF3(ctx context.Context) *cli.Command {
+	ctx = f3_logger.ContextSetLogger(ctx, util.NewF3Logger(nil, log.GetLogger(log.DEFAULT)))
+	return &cli.Command{
+		Name:  "f3",
+		Usage: "F3",
+		Subcommands: []*cli.Command{
+			SubcmdF3Mirror(ctx),
+		},
+	}
+}
+
+func SubcmdF3Mirror(ctx context.Context) *cli.Command {
+	mirrorCmd := f3_cmd.CreateCmdMirror(ctx)
+	mirrorCmd.Before = prepareWorkPathAndCustomConf(ctx)
+	f3Action := mirrorCmd.Action
+	mirrorCmd.Action = func(c *cli.Context) error { return runMirror(ctx, c, f3Action) }
+	return mirrorCmd
+}
+
+func runMirror(ctx context.Context, c *cli.Context, action cli.ActionFunc) error {
+	setting.LoadF3Setting()
+	if !setting.F3.Enabled {
+		return errors.New("F3 is disabled, it is not ready to be used and is only present for development purposes")
+	}
+
+	var cancel context.CancelFunc
+	if !ContextGetNoInit(ctx) {
+		ctx, cancel = installSignals(ctx)
+		defer cancel()
+
+		if err := initDB(ctx); err != nil {
+			return err
+		}
+
+		if err := storage.Init(); err != nil {
+			return err
+		}
+
+		if err := git.InitSimple(ctx); err != nil {
+			return err
+		}
+		if err := models.Init(ctx); err != nil {
+			return err
+		}
+	}
+
+	err := action(c)
+	if panicError, ok := err.(f3_util.PanicError); ok {
+		log.Debug("F3 Stack trace\n%s", panicError.Stack())
+	}
+	return err
+}

cmd/forgejo/forgejo.go

@@ -11,10 +11,10 @@ import (
 	"os/signal"
 	"syscall"
 
-	"code.gitea.io/gitea/models/db"
-	"code.gitea.io/gitea/modules/log"
-	"code.gitea.io/gitea/modules/private"
-	"code.gitea.io/gitea/modules/setting"
+	"forgejo.org/models/db"
+	"forgejo.org/modules/log"
+	"forgejo.org/modules/private"
+	"forgejo.org/modules/setting"
 
 	"github.com/urfave/cli/v2"
 )
@@ -36,6 +36,7 @@ func CmdForgejo(ctx context.Context) *cli.Command {
 		Flags: []cli.Flag{},
 		Subcommands: []*cli.Command{
 			CmdActions(ctx),
+			CmdF3(ctx),
 		},
 	}
 }

cmd/generate.go

@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"os"
 
-	"code.gitea.io/gitea/modules/generate"
+	"forgejo.org/modules/generate"
 
 	"github.com/mattn/go-isatty"
 	"github.com/urfave/cli/v2"
@@ -70,10 +70,7 @@ func runGenerateInternalToken(c *cli.Context) error {
 }
 
 func runGenerateLfsJwtSecret(c *cli.Context) error {
-	_, jwtSecretBase64, err := generate.NewJwtSecret()
-	if err != nil {
-		return err
-	}
+	_, jwtSecretBase64 := generate.NewJwtSecret()
 
 	fmt.Printf("%s", jwtSecretBase64)